oauth2-proxy: [Bug] OIDCOptions defaults not used

Expected Behavior

Default values described in AlphaConfig documentation is used.

Current Behavior

It appears that the default values described in https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/alpha-config#oidcoptions are not used. I see the following error in the logs -

Error redeeming code during OAuth2 callback: could not verify id_token: audience claims [] do not exist in claims

To get the authorization working correctly, I had to explicitly specify the values of emailClaim, userIDClaim and audienceClaims to email, email and aud respectively

Possible Solution

Steps to Reproduce (for bugs)

Used the following alpha config -

providers:
  - provider: oidc
    clientID: 
    clientSecret: 
    scope: openid profile email offline_access
    id: default
    oidcConfig:
      issuerURL: 
      extraAudiences:
        - test
      groupsClaim: org_id
    loginURLParameters:
      - name: organization
        default:
          - test
    allowedGroups:
      - test
server:
  BindAddress: 0.0.0.0:4180

Context

I am migrating my deployment to use alpha configs in order to use the loginURLParameters feature.

Your Environment

deployed in kubernetes.

  • Version used: latest docker image quay.io/oauth2-proxy/oauth2-proxy:latest

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 18 (11 by maintainers)

Most upvoted comments

Hey folks, had this issue just right now. I figured out what to do to get it working. It seems there are many default options missing. After setting these one can get it running:

server:
  BindAddress: 0.0.0.0:4180
upstreamConfig:
  upstreams:
    - id: CLIENT
      uri: http://CLIENT:8000
      path: /

providers:
  - provider: keycloak-oidc
    id: keycloak
    clientSecret: REDACTED
    clientID: CLIENT
    oidcConfig:
      issuerURL: https://REDACTED/auth/realms/REDACTED
      extraAudiences: 
        - CLIENT
      audienceClaims:
        - aud
      emailClaim: email
      userIDClaim: email
    keycloakConfig:
      roles:
        - CLIENT:ROLE
    scope: "openid profile email"
injectRequestHeaders:
  - name: Remote-User
    values: 
      - claim: email
+6
ataraxus on Sep 26, 2022

I’ll check it this evening! Thanks for the quick answer!

+1
tuunit on Oct 9, 2023

I think this is a known bug There’s some issue with the way we are defaulting the alpha options and the passing that through to the providers. I believe the issue is in the provider code but haven’t had a chance to investigate further

+1
JoelSpeed on Aug 9, 2022
Read more comments on GitHub
← oauth2-proxy: Azure provider with v7.2.1 and ADAL stop working - Access token validation failure. Invalid audience
oauth2-proxy: Can't login with user without email (Keycloak provider) →