oauth2-proxy: Using --allowed-roles gives 403

Expected Behavior

I have the following configuration: ` “–provider=keycloak-oidc”,

          "--client-id=xxxxx",

          "--client-secret=xxxx",

          "--upstream=xxxxx",
          "--oidc-issuer-url=xxxxxx",
          "--redeem-url=xxxxxx",
          "--redirect-url=xxxxxx",
          "--http-address=xxxxx",
          "--auth-logging=true",
          "--email-domain=*",
          "--cookie-secret=xxxx",
          "--standard-logging=true",
          "--auth-logging=true",
          "--request-logging=true",
          "--whitelist-domain=xxxxxxx",
          "--skip-provider-button=true",
          "--skip-jwt-bearer-tokens=true",
          "--pass-authorization-header=true",
          "--pass-access-token=true",
          "--pass-user-headers=true",
          "--allowed-role=realm-access-role",
          "--cookie-secure=false",
          "--scope=openid email profile",
          "--skip-auth-route=/health"`

Current Behavior

Every time i try to hit endpoints got 403, and I am assured that my account has the realm access-role

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 5
  • Comments: 20 (9 by maintainers)

Most upvoted comments

Took me a while to debug this, above is the PR to fix the issue. 👍

As @priggad correctly mentioned, the issue is that the groups are not populated (because the roles are not extracted while creating the session)

+7
MrDeerly on Jul 8, 2022

I think this method https://github.com/oauth2-proxy/oauth2-proxy/blob/d34644e16072329ebe78cef362dbc2bce59edf5e/providers/oidc.go#L161 is missing in https://github.com/oauth2-proxy/oauth2-proxy/blob/d34644e16072329ebe78cef362dbc2bce59edf5e/providers/keycloak_oidc.go

+1
dweber019 on May 10, 2022

I’m also having the same issue. I’m running the proxy in a container - when the environment variable OAUTH2_PROXY_ALLOWED_ROLES is set to “” or is not defined at all then the proxy works as expected. If I add a client role to OAUTH2_PROXY_ALLOWED_ROLES in the format “client_id:role_name” as recommended by the documentation I get a 403 and the same log output as specified by @MoatazAbdallh . I’ve inspected the access token provided by keycloak and can see this claim 'resource_access': {'client_id': {'roles': ['role_name']}}.

I’ve had a look at the source code and the error message originates here: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/oauthproxy.go#L941. I’m not sure but I suspect the authorized variable is being set to false by p.provider.Authorize(req.Context(), session) (https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/provider_default.go#L113) because sessions.SessionState.Groups has not be set correctly . My reason for thinking this is because the log output is appended with data about the session but doesn’t contain any data on groups as suggested by this: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/apis/sessions/session_state.go#L104

Just for clarity, my log output: email@domain [2021/12/02 15:19:58] [AuthFailure] Invalid authorization via session: removing session Session{email:email@domain user:keycloakid PreferredUsername:username token:true id_token:true created:2021-12-02 15:19:58.876585694 +0000 UTC m=+4714.765634882 expires:2021-12-02 15:24:58 +0000 UTC}

+1
priggad on Dec 2, 2021
Read more comments on GitHub
← oauth2-proxy: unknown flag: --oidc-groups-claim when using image v6.1.1
oauth2-proxy: Using some extra args with Azure results in error 400 and 500 →