Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Support]: Oauth2-proxy as proper ExtAuth solution #2832

Open
zeisich opened this issue Oct 30, 2024 · 1 comment
Open

[Support]: Oauth2-proxy as proper ExtAuth solution #2832

zeisich opened this issue Oct 30, 2024 · 1 comment
Labels
configuration help wanted

Comments

@zeisich
Copy link

zeisich commented Oct 30, 2024

OAuth2-Proxy Version

7.7.1

Provider

oidc

Current Behaviour of your Problem

I'm configuring oauth2-proxy as ext_auth server for Envoy Gateway. Unauthenticated calls to my backend service should trigger the OAuth flow and authenticated calls should pass through.

Apparently Envoy (and others) expect a 200 response code with an empty body when using the ext_authz protocol, whereas oauth2-proxy returns 202 on the /oauth2/auth endpoint.

Configuration details or additional information

I'm first asking here in case there is another way of making these components properly talk to each other. Could possibly be a feature request to allow customization of the /oauth2/auth endpoint.
Oauth2_proxy.cfg

    skip_provider_button = "false"
    skip_jwt_bearer_tokens = "true"
    email_domains = ["*"]
    reverse_proxy = "true"
    cookie_name = "__Host-oauth2-proxy"
    cookie_csrf_per_request = "true"
    show_debug_on_error = true
    silence_ping_logging = true

Oauth2_config_alpha

server:
  BindAddress: '0.0.0.0:4180'
metricsServer:
  BindAddress: '0.0.0.0:44180'

providers:
  - id: azure
    provider: oidc
    name: Azure
    clientSecret: ${OAUTH2_PROXY_CLIENT_SECRET}
    clientID: <REDACTED>
    scope: "openid email profile offline_access"
    loginURL: "https://login.microsoftonline.com/<REDACTED>/oauth2/v2.0/authorize"
    redeemURL: "https://login.microsoftonline.com/<REDACTED>/oauth2/v2.0/token"
    oidcConfig:
      issuerURL: "https://login.microsoftonline.com/<REDACTED>/v2.0"
      skipDiscovery: true
      jwksURL: "https://login.microsoftonline.com/<REDACTED>/discovery/v2.0/keys"
      emailClaim: sub
      groupsClaim: roles
      audienceClaims:
        - aud

SecurityPolicy

spec:
  extAuth:
    failOpen: false
    headersToExtAuth:
    - Cookie
    - X-Auth-Request-User
    - X-Auth-Request-Groups
    - X-Auth-Request-Email
    - X-Auth-Request-Preferred-Username
    - X-Forwarded-Proto
    - X-Forwarded-Host
    - X-Forwarded-Uri
    - X-Auth-Request-Access-Token
    http:
      backendRefs:
      - group: ""
        kind: Service
        name: oauth2-proxy
        port: 80
      path: /oauth2/auth
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: gateway1

Steps To Reproduce

No response
@jjlakis
Copy link
Contributor

jjlakis commented Jan 6, 2025

Did you try setting upstreams="static://200" ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
configuration help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjlakis @zeisich