oauth2-proxy: login loop using ingress nginx, auth_request always returning 401

Expected Behavior

Go to the ingress hostname for the first time, be greeted with google login. Select google account, redirect to application setup to be behind hostname.

Current Behavior

Go to the ingress hostname for the first time, be greeted with google login. Select google account… Select google account… Select Google account.

I can see in ingress nginx that the auth_request requests are always returning a 401.

"/oauth2/auth" HTTP/1.1 "Go-http-client/1.1" 401 21 0.000
2019/02/25 02:37:26 oauthproxy.go:796: 100.97.114.11:35790 ("54.79.36.100") Cookie "_oauth2_proxy" not present

Steps to Reproduce (for bugs)

I am using the helm chart, here is the values.yaml deployed:

config:
  clientID: "asdfasdfasdfasdf.apps.googleusercontent.com"
  clientSecret: "asdf"
  cookieSecret: "asdfasdf=="
  configFile: |-
    pass_basic_auth = false
    pass_access_token = true
    set_authorization_header = true
    pass_authorization_header = true

image:
  repository: "quay.io/pusher/oauth2_proxy"
  tag: "v3.1.0"
  pullPolicy: "IfNotPresent"

extraArgs:
  provider: "google"
  email-domain: "example.com.au"
  whitelist-domain: ".stuff.example.com.au"
  upstream: "file:///dev/null"
  http-address: "0.0.0.0:4180"

authenticatedEmailsFile:
  enabled: false
  template: ""
  restricted_access: ""

ingress:
  enabled: true
  path: /
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
  hosts:
    - oauth2.k8s-url.com.au
  tls:
    - secretName: wildcard.k8s-url.com.au
      hosts:
        - oauth2.k8s-url.com.au

I think have the ingress annotation config of:

    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2.k8s-url.com.au/oauth2/start?rd=https://$host$request_uri$is_args$args
    nginx.ingress.kubernetes.io/auth-url: https://oauth2.k8s-url.com.au/oauth2/auth
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    #nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    #nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }

I have gone through many iterations to get to this point.

Context

I am try to use this auth proxy without luck. To me it just looks like the nginx auth-request always returns a 401. I realise this maybe an ingress nginx issue but I thought I would start here.

Your Environment

kops 1.11 maintained k8s cluster, k8s version 1.11.6

  • Version used: “v3.1.0”

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 18 (8 by maintainers)

Most upvoted comments

aaah, so with your clue and a little bit of experimentation… URL/Domain I am logging into:

https://my.thing.example.com

cookie-domain: "example.com"
whitelist-domain: ".thing.example.com"

and this worked!

Yeah, some more documentation would help… It took me all morning to work out that the whitelist-domain was mandatory and that is why everything I was logging into was going to “/”. 😃

+1
jurgenweber on Feb 25, 2019
Read more comments on GitHub
← oauth2-proxy: Large authorization headers from GitLab raising 502s(?)
oauth2-proxy: Not redirecting to subpath after login using Traefik's 401 errors middleware →