oauth2-proxy: Oauth2-proxy login for kubernetes-dashboard not able to pass token

Configuration

oauth2-proxy helm chart values.yaml

config:
  clientID: "b730xxxxxxxxxx"
  clientSecret: "8f34e20110xxxxxxxxxxxxxxxc93a91"
  cookieSecret: "R0tuUlJCN1ZyL2lPaGhmSUpzUHVPVmZqbjFZd0JIQzM="
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
  existingConfig:

extraArgs:
  provider: "github"
  github-org: "myorg"
  github-team: "dashboarduser"
  set-authorization-header: "true"
  cookie-domain: ".devk8s.mylab.local"
  whitelist-domain: ".devk8s.mylab.local"

ingress:
  enabled: true
  path: /oauth2
  hosts:
    - login.devk8s.mylab.local
  extraPaths: []
  annotations:
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     cert-manager.io/cluster-issuer: mylab
  tls:
     - secretName: login-tls
       hosts:
         - login.devk8s.mylab.local

Ingress.yaml for k8s-dashboard

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: mylab
    meta.helm.sh/release-name: dashboard
    meta.helm.sh/release-namespace: kubernetes-dashboard
    nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-email, x-auth-request-user
    nginx.ingress.kubernetes.io/auth-signin: https://login.devk8s.mylab.local/oauth2/start?rd=$scheme://$host$request_uri$is_args$args
    nginx.ingress.kubernetes.io/auth-url: https://login.devk8s.mylab.local/oauth2/auth
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      proxy_set_header Authorization $token;
    service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}'
  creationTimestamp: "2021-05-19T15:55:38Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: dashboard
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/version: 2.2.0
    helm.sh/chart: kubernetes-dashboard-4.1.0
  name: dashboard-kubernetes-dashboard
  namespace: kubernetes-dashboard
  resourceVersion: "1325349"
  selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-kubernetes-dashboard
  uid: 25bfea36-68a0-4b44-9435-398551acec14
spec:
  rules:
  - host: dashboard.devk8s.mylab.local
    http:
      paths:
      - backend:
          serviceName: dashboard-kubernetes-dashboard
          servicePort: 443
        path: /
        pathType: ImplementationSpecific
  tls:
  - secretName: dashboard-tls

Expected Behavior

oauth2-proxy url is : login.devk8s.mylab.local app dashboard url is : dashboard.devk8s.mylab.local

I want when a user access dashboard url, it should get authentication from auth url (i.e. oauth2proxy ingress url+github user), and should be back on my dashboard url after authentication process finish ( kind of redirection after auth - usual ) and user should get read only access of kubernetes dashboard login.

Current Behavior

dashboard.devk8s.mylab.local url, redirecting to login.devk8s.mylab.local for authentication, after github authentication process done, it returns kubernetes-dashboard default page, where it is further asking token or kubeconfig. I am expecting it should go straight to login.

Possible Solution

may be some config miss in ingress or dashboard config to pass bearer token JWT. or perhaps bug in version.

Context

I am trying to setup github login for kubernetes dashboard with oauth2-proxy, so that user can login to kubernetes dashboard with their github cred.

Your Environment

  • Version used:
  • ingress-nginx : 0.45.0
  • oauth2-proxy helm chart: oauth2-proxy-5.0.5
  • pauth2-proxy app version: 7.0.1
  • kubernetes : 1.19
  • cert-manager: 1.3.1

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 22 (3 by maintainers)

Most upvoted comments

Manage to make it working with AAD-enabled (ME-ID 😄) AKS cluster.

Environment:

  • AKS: 1.27.3
  • oauth2-proxy Helm chart: 6.17.0 (with 7.5.0 binaries)

I have tried a huge number of configs but have been constantly getting Unauthorized for k8s-dashboard after successful authentication, till I get to the following config:

oauth2-proxy Helm chart config:

extraArgs:
  provider: oidc
  azure-tenant: [oauth2-proxy-azure-ad-tenant-id]  # Microsoft Entra ID OAuth2 Proxy application Tenant ID
  oidc-issuer-url: https://login.microsoftonline.com/[oauth2-proxy-azure-ad-tenant-id]/v2.0
  user-id-claim: oid
  scope: openid email profile 6dae42f8-4368-4678-94ff-3960e28e3630/user.read
  cookie-csrf-expire: 59m
  cookie-csrf-per-request: true
  cookie-expire: 1h
  cookie-name: _oauth2_proxy
  cookie-refresh: 59m
  pass-access-token: true
  pass-authorization-header: true
  pass-host-header: true
  pass-user-headers: true
  reverse-proxy: true
  set-authorization-header: true
  set-xauthrequest: true
  email-domain: "*"
  upstream: file:///dev/null
  http-address: 0.0.0.0:4180
  silence-ping-logging: true
  session-store-type: redis
  skip-jwt-bearer-tokens: true
  skip-provider-button: true
  
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "2000m"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
...

K8S-Dashboard ingress config:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-body-size: "2000m"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $access_token $upstream_http_x_auth_request_access_token;
      proxy_set_header Authorization "Bearer $access_token";
spec:
...

The main trick is to use OIDC provider config for Azure AD with the correct scope (thanks to @antgamdia in #1231) and pass the right token to the dashboard because by default it sends ID token, which the dashboard doesn’t like (also found this explanation in some of the issues).

Also, don’t forget to add Azure Kubernetes Service AAD Server (6dae42f8-4368-4678-94ff-3960e28e3630 this ID is the same for all Azure users) to the API permissions of the application in App registrations.

P.S. Please double-check all config values above there might be some typos.

+2
sshepel on Sep 25, 2023

Same issue, I think the documentation at the nginx-ingress website needs to be updated, but I am unable to give the update to the maintainer as I’m not sure how to get things to work. Been on this a few days working to get keycloak to work. https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

Adding this fixed it for me:

  • –set-authorization-header=true
+1
lknite on Apr 15, 2022
Read more comments on GitHub
← oauth2-proxy: Not redirecting to subpath after login using Traefik's 401 errors middleware
oauth2-proxy: oauth2-proxy sends expired access tokens to backend →