oauth2-proxy: I can't get Authorization: Bearer to work with version 6.1.1 . It works with 5.1.1

Hmmm - there might be odd interactions with non-oidc providers (you have google set). It was the only Provider where the contributer implemented the CreateSessionStateFromBearerToken.

I’ll need to dig, I believe that is ahead in the middleware chain before the generic extra JWT handlers (that assume OIDC and look for .well-known/openid-configuration). I don’t fully know what the Google provider did with tokens in a bearer session pre-v6 (I’m not a google provider user)

Thanks for the details!

@harshitmahapatra could you provide us which urls you used?

I struggle a lot because I don’t know what I should put in --extra-jwt-issuers. As everyone else I use keycloak and the newest version of oauth2-proxy.

When I don’t use the --extra-jwt-issuers option I’ll get this error: [2021/02/14 10:23:13] [jwt_session.go:51] Error retrieving session from token in Authorization header: [unable to verify bearer token, oidc: expected audience "CLIENT_ID" got ["account"]]

below is my config what I’m currently running.

config:

command:
  - --provider=oidc
  - --client-id=CLIENT_ID
  - --client-secret=CLIENT_SECRET
  - --oidc-issuer-url=https://auth.domain.tld/auth/realms/MY_REALM
  - --login-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/auth
  - --redeem-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/token
  - --profile-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/userinfo
  - --validate-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/userinfo
  - --keycloak-group=/admin
  - --pass-basic-auth=false
  - --pass-access-token=true
  - --set-xauthrequest=true
  - --set-authorization-header=true
  - --pass-authorization-header=true
  - --skip-provider-button=true
  - --skip-auth-preflight=true
  - --pass-host-header=true
  - --skip-jwt-bearer-tokens=true
  - --oidc-jwks-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/certs
  - --extra-jwt-issuers=https://auth.domain.tld/auth/realms/MY_REALM

When I switch to version 6.1.1 I’ll get without --extra-jwt-issuers the following error:

[2021/02/14 10:28:57] [logger.go:508] Error retrieving session from token in Authorization header: unable to verify jwt token: "Bearer MY_ACCESS_TOKEN"

EDIT: // I’ve got it working with latest proxy

Running into this with keycloak, everything latest and greatest:

[2022/04/11 00:44:04] [oauthproxy.go:730] Error creating session during OAuth2 callback: oidc: expected audience "kubernetes-dashboard" got ["account"]

snippit from kubernetes deployment:

    spec:
      containers:
      - args:
        #- --upstream="file:///dev/null"
        - --http-address=0.0.0.0:4180
        - --provider=keycloak-oidc
        - --client-id=kubernetes-dashboard
        - --client-secret=<client-secret>
        - --redirect-url=https://dashboard.<domain>/oauth2/callback
        - --oidc-issuer-url=https://keycloak.<domain>/auth/realms/<realm>
        - --provider-ca-file=/etc/ssl/certs/ca-certificates.crt
        - --email-domain=*
        - --insecure-oidc-allow-unverified-email
        - --scope=openid

Is the solution still to use extra-jwt-issuers?

@pavan-pn as it’s a very long time ago, I can’t remember what I’ve done.

But I switched to https://github.com/travisghansen/external-auth-server because with oauth2-proxy it’s not possible to check on every request if an accessToken is valid or not.

I can confirm I got keycloak + v6.1.1 + skip-jwt-bearer-tokens working by removing --oidc-issuer-url from my config and adding --extra-jwt-issuers along with --oidc-jwks-url.

I have a theory what’s happening:

Because keycloak also uses some of the OIDC parameters, it goes down this codepath: https://github.com/oauth2-proxy/oauth2-proxy/blob/4a54c9421c505446168b2463aa9a5a0b24b752ad/pkg/validation/options.go#L78

This results in SetOIDCVerifier being called (which makes the first extra-jwt issuer the provider instead of the generic extras): https://github.com/oauth2-proxy/oauth2-proxy/blob/4a54c9421c505446168b2463aa9a5a0b24b752ad/pkg/validation/options.go#L145

If that’s the case, the first provider in the chain is Keycloak’s CreateSessionStateFromBearerToken: https://github.com/oauth2-proxy/oauth2-proxy/blob/d9c141ae7c88af6e095c513dfcebeede52e95c27/oauthproxy.go#L237

Which isn’t implemented.

As a workaround you can set the OIDC details you want to use to validate your sessions --extra-jwt-issuers (if anything in the chain passes, auth is valid, so it will just move past the Not Implemented).

Long term, a Keycloak user will need to implement CreateSessionStateFromBearerToken and submit a PR. If Keycloak is close to OIDC - the implementation will likely mirror that Provider

https://github.com/oauth2-proxy/oauth2-proxy/blob/d9c141ae7c88af6e095c513dfcebeede52e95c27/providers/provider_default.go#L120

CC: @JoelSpeed - In case you have any other thoughts since you spearheaded the middlware auth chain refactor.

Can also confirm I’m seeing the same issue where provider=keycloak. Version 5.1.0 - 6.0.0 works ok, but version 6.1.1 gives error: Error retrieving session from token in Authorization header: not implemented