Comments (18)
aaah, so with your clue and a little bit of experimentation...
URL/Domain I am logging into:
https://my.thing.example.com
cookie-domain: "example.com"
whitelist-domain: ".thing.example.com"
and this worked!
Yeah, some more documentation would help... It took me all morning to work out that the whitelist-domain was mandatory and that is why everything I was logging into was going to "/". :)
from oauth2-proxy.
We really need to improve the documentation here, apologies!
Can you check which domain the set-cookie
header is being set for when you complete your authentication on the proxy?
I think you might need to set cookie-domain
to match your whitelist-domain
flag, can you try that and see if that helps?
from oauth2-proxy.
ok, I had a wildcard in for the whitelist but for testing sake to see it work, I just hard coded both cookie-domain and whitelist-domain to the same value... This seems to have made things worse. :)
403 Permission Denied
http: named cookie not present
from oauth2-proxy.
Yes I believe your findings match our configuration here, I'm out of office right now so can't check unfortunately
If you have some time to update the docs I would appreciate it. The whitelist domain flag is, as you say, mandatory if (and only if) you wish to host the oauth2 proxy on a separate domain to the ones you are protecting. A short guide for using this with the nginx Auth request mode would be good
from oauth2-proxy.
ok, another question.
The power of having the oauth-proxy on its own domain is that you can have many things use it to login. Is there a way to have per domain ACL on it?
domain1.k8s.example.com
--> allow email domain example2.com
domain2.k8s.example.com
--> Allow email user [email protected], [email protected]
does that make sense? Or so I need to have a separate proxy for each one?
from oauth2-proxy.
yeah, so I am trying a another proxy install for the site I want to have email users:
403 Permission Denied
http: named cookie not present
is what I get, I matched the cookie domain and hostname to be the same.
from oauth2-proxy.
domain1.k8s.example.com
--> allow email domain example2.com
domain2.k8s.example.com
--> Allow email user [email protected], [email protected]does that make sense? Or so I need to have a separate proxy for each one?
At present you will need a separate proxy for each one
yeah, so I am trying a another proxy install for the site I want to have email users:
403 Permission Denied http: named cookie not present
is what I get, I matched the cookie domain and hostname to be the same.
Can you inspect the responses when setting the cookie and check that the browser is storing the cookie you expect?
from oauth2-proxy.
Yeah, I had to create another proxy on another domain and match all the settings for the two authentication scopes I was after.
from oauth2-proxy.
Yeah, some more documentation would help... It took me all morning to work out that the whitelist-domain was mandatory
A bit more logging here would be super helpful. I hit this required setting today as well.
A log.Printf
near the end of IsValidRedirect
[1] would be super useful after none of the whitelistDomains
have returned true
.
from oauth2-proxy.
Hi,
I have the similar issue
Proxy oauth logs:
GET - "/oauth2/auth" HTTP/1.1 "Go-http-client/1.1" 401 21 0.000
GET - "/oauth2/start?rd=https://my.domain.eu/.well-known/acme-challenge/XXXXXXXX" HTTP/1.1 "Go-http-client/1.1" 302 456 0.000
2019/11/15 13:24:53 oauthproxy.go:830: Cookie "_oauth2_proxy" not present
Ingress controller:
"GET /oauth2/auth HTTP/1.1" 401 21 "http://app.test.eu/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxx" "Go-http-client/1.1" 576 0.001 [XXX-proxy-4180] [] xx.xxx.x.xxx:4180 21 0.000 401 xxxxxxxxxxxxxxxxxxxxxxxxxx
"GET /.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
HTTP/1.1" 401 0 "http://app.test.eu/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxx"
"Go-http-client/1.1" 0 0.005 [pact-pact-80] [] 13.80.147.2:443 0 0.004 401 xxxxxxxxxxxxxxxxxxxxxxx
I'm using Azure. This is the setup:
Application:
ingress:
enabled: true
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
hostnames:
- app.test.eu
tls:
enabled: true
Proxy:
values:
config:
clientID: xxxxxxxxxxxxxxxxx
clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxx
cookieSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
configFile: |
provider = "azure"
azure_tenant = "xxxxxxxxxxxxxxxxxxxx"
email_domains = [ "test.eu" ]
service:
port: 4180
readinessProbe:
periodSeconds: 240
extraArgs:
whitelist-domain: ".test.eu"
cookie-domain: "test.eu"
ingress:
enabled: true
path: /oauth2
hosts:
- app.test.eu
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
tls:
- hosts:
- app.test.eu
secretName: test-tls
I tried multiple combination and can't figure it out. Any ideas?
from oauth2-proxy.
@s1apped Try your cookie domain with a .
at the beginning, I believe it has to have this to be applicable to subdomains
cookie-domain: ".test.eu"
from oauth2-proxy.
@JoelSpeed unfortunatelly it didn't help.
from oauth2-proxy.
Has anyone been able to fix this? Constantly getting 401 Unauthorized error.
@s1apped -- Were you able to find a work around?
I have tried all kinds of combinations for the cookie-domain and whitelisting, oauth2_proxy keeps throwing the Cookie "_oauth2_proxy" not present
from oauth2-proxy.
If you are using azure, I would recommend trying the redid session storage mechanism. The cookie storage does not work very well with Azure due to the size of the ID Tokens they generate
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
I am able to reproduce this. We are using the 3.0.0 helm chart
- --cookie-domain=.test.example.com
- --email-domain=*
- --github-team=example
- --provider=github
- --redirect-url=https://oauth.test.example.com
- --upstream=file:///dev/null
- --whitelist-domain=.test.example.com
from oauth2-proxy.
@drewwells Your redirect-url is invalid, it should point to the OAuth2 Proxy callback eg https://oauth.test.example.com/oauth2/callback
from oauth2-proxy.
@JoelSpeed
Is there any doc to configure traefik (ingress Controller), oauth2-proxy & DEX (OIDC).
We configured k8s dashboard & oauth2
Issues are :- we are able to redirect and authenticate with DEX & landing again with dashboard login page.
authResponseHeaders:
- X-Forwarded-User
- X-Auth-User
- X-Secret
from oauth2-proxy.
Related Issues (20)
- [Support]: <Keycloak-OIDC failed> HOT 1
- [Bug]: GitHub private repo check throwing 500 instead of 403 when user does not have access
- [Bug]: Keycloak OIDC Provider Multiple Calls to Fetch Keys to Verify JWT in Auth Header
- [Support]: Add scope field inside bearer token
- [Support]: How to configure oauth2 with kubernetes HOT 1
- Trying to implement simple Oauth2-proxy/nginx configuration HOT 3
- [Bug]: wait-for-redis fails to detect redis with default image HOT 3
- [Support]: Connection refused to Keycloak instance running in the separate container
- [Bug]: Alpha-configuration environment variables are not being replaced HOT 1
- [Bug]: local-environment example for keycloak does not run HOT 1
- [--cookie-secret-file option]: new option to ease cookie-secret rotation HOT 1
- [Bug]: CVE-2024-24786 google.golang.org/protobuf HOT 1
- [Bug]: CVE-2023-45288 golang.org/x/net HOT 3
- [Bug]: CVE-2023-45288 github.com/go-jose/go-jose/v3 HOT 2
- [upstream with basic auth]: upstream may require basic auth
- [Feature]: Include sequence diagram in the documentation
- [Feature]: Don't require email for OIDC
- [Support]: unable to verify bearer token, failed to verify token: oidc: id token issued by a different provider HOT 1
- [Feature]: User.Read scope required for Azure Provider?
- [Support]: Problem with OAuth2 and Keycloak-oidc on Kibana in a Minikube Cluster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.