AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie #2897
Open
Description
OAuth2-Proxy Version
7.7.1
Provider
oidc
Expected Behaviour
For OAuth2 Proxy to successfully complete authorization code flow.
Authorisation fails using the following providers:
- oidc
- keycloak
- keycloak-oidc
Current Behaviour
See issue: OIDC Discovery fails
Disable OIDC discovery:
OAUTH2_PROXY_SKIP_OIDC_DISCOVERY: true
Logs:
oauth2-proxy | [2025/01/01 20:56:39] [proxy.go:89] mapping path "/" => upstream "http://hapi-fhir"
oauth2-proxy | [2025/01/01 20:56:39] [oauthproxy.go:162] Skipping JWT tokens from configured OIDC issuer: "http://127.0.0.1:5001/realms/hapi-fhir-dev"
oauth2-proxy | [2025/01/01 20:56:39] [oauthproxy.go:172] OAuthProxy configured for OpenID Connect Client ID: oauth2-proxy
oauth2-proxy | [2025/01/01 20:56:39] [oauthproxy.go:178] Cookie settings: name:oauth2-proxy secure(https):false httponly:true expiry:10m0s domains: path:/ samesite:lax refresh:after 5m0s
Error:
keycloak | 2025-01-01 20:58:36,753 TRACE [io.vertx.ext.web.impl.RouterImpl] (vert.x-eventloop-thread-5) Router: 156075576 accepting request POST http://127.0.0.1:5001/realms/hapi-fhir-dev/login-actions/authenticate?session_code=kRphEG2bWz2_2w5spq8SuhkiELlhVbfFrXds4Njnps0&execution=4fb7babe-eb79-4b94-b3c0-e5fc6f74e9db&client_id=oauth2-proxy&tab_id=7e0tgRf3CsU&client_data=eyJydSI6Imh0dHA6Ly8xMjcuMC4wLjE6NDE4MC9vYXV0aDIvY2FsbGJhY2siLCJydCI6ImNvZGUiLCJzdCI6ImQ3RE9CNE9hUkoyd2ZLbF84OEZZREVqT0tvNTVKb2x3dlBGbGlCZjI0bGc6LyJ9
oauth2-proxy | [2025/01/01 20:58:37] [oauthproxy.go:1312] &{GET /oauth2/callback?state=d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg%3A%2F&session_state=c164223c-9179-4719-bd8a-d3066e057e4a&iss=http%3A%2F%2F127.0.0.1%3A5001%2Frealms%2Fhapi-fhir-dev&code=cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69 HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[en-GB,en-US;q=0.9,en;q=0.8] Cache-Control:[max-age=0] Connection:[keep-alive] Sec-Ch-Ua:["Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:["macOS"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36]] {} <nil> 0 [] false 127.0.0.1:4180 map[code:[cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69] iss:[http://127.0.0.1:5001/realms/hapi-fhir-dev] session_state:[c164223c-9179-4719-bd8a-d3066e057e4a] state:[d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg:/]] map[] <nil> map[] 172.18.0.1:56100 /oauth2/callback?state=d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg%3A%2F&session_state=c164223c-9179-4719-bd8a-d3066e057e4a&iss=http%3A%2F%2F127.0.0.1%3A5001%2Frealms%2Fhapi-fhir-dev&code=cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69 <nil> <nil> <nil> 0x4000115530 <nil> [] map[]} AuthFailure No cookies were found in OAuth callback.
oauth2-proxy |
oauth2-proxy | [2025/01/01 20:58:37] [oauthproxy.go:888] &{GET /oauth2/callback?state=d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg%3A%2F&session_state=c164223c-9179-4719-bd8a-d3066e057e4a&iss=http%3A%2F%2F127.0.0.1%3A5001%2Frealms%2Fhapi-fhir-dev&code=cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69 HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[en-GB,en-US;q=0.9,en;q=0.8] Cache-Control:[max-age=0] Connection:[keep-alive] Sec-Ch-Ua:["Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:["macOS"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36]] {} <nil> 0 [] false 127.0.0.1:4180 map[code:[cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69] iss:[http://127.0.0.1:5001/realms/hapi-fhir-dev] session_state:[c164223c-9179-4719-bd8a-d3066e057e4a] state:[d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg:/]] map[] <nil> map[] 172.18.0.1:56100 /oauth2/callback?state=d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg%3A%2F&session_state=c164223c-9179-4719-bd8a-d3066e057e4a&iss=http%3A%2F%2F127.0.0.1%3A5001%2Frealms%2Fhapi-fhir-dev&code=cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69 <nil> <nil> <nil> 0x4000115530 <nil> [] map[]} AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie: %s (state=%s) CSRF cookie with name 'oauth2-proxy_d7DOB4Oa_csrf' was not found d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg
oauth2-proxy |
oauth2-proxy | 172.18.0.1:56100 - ab272d6f-26b4-478c-9cf0-171af9f8ab71 - - [2025/01/01 20:58:37] 127.0.0.1:4180 GET - "/oauth2/callback?state=d7DOB4OaRJ2wfKl_88FYDEjOKo55JolwvPFliBf24lg%3A%2F&session_state=c164223c-9179-4719-bd8a-d3066e057e4a&iss=http%3A%2F%2F127.0.0.1%3A5001%2Frealms%2Fhapi-fhir-dev&code=cb65b2c9-65ad-4df2-816a-4a218b804564.c164223c-9179-4719-bd8a-d3066e057e4a.38ca69e4-14e5-4f40-9ece-5e1dc7c46f69" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 403 2736 0.003
oauth2-proxy | 172.18.0.1:56100 - 124bbcae-341f-43d3-833a-d45b149b8e67 - - [2025/01/01 20:58:37] 127.0.0.1:4180 GET - "/oauth2/static/css/bulma.min.css" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 200 207302 0.002
oauth2-proxy | 172.18.0.1:56110 - 90abbcdb-5765-4d75-8a25-88f9a1374dbf - - [2025/01/01 20:58:37] 127.0.0.1:4180 GET - "/oauth2/static/css/all.min.css" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 200 102025 0.001
oauth2-proxy | 172.18.0.1:56110 - 3958f67f-e32d-47ee-8f62-5a0dea2b9df3 - - [2025/01/01 20:58:37] 127.0.0.1:4180 GET - "/oauth2/static/webfonts/fa-solid-900.woff2" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 200 149908 0.016
oauth2-proxy | [2025/01/01 20:58:37] [oauthproxy.go:1024] No valid authentication in request. Initiating login.
oauth2-proxy | 172.18.0.1:56110 - d4192994-b528-4427-9f42-c28063361731 - - [2025/01/01 20:58:37] 127.0.0.1:4180 GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" 403 8504 0.001
keycloak | 2025-01-01 20:58:39,786 TRACE [io.vertx.ext.web.impl.RouterImpl] (vert.x-eventloop-thread-7) Router: 1920955707 accepting request GET http://localhost:9000/health/ready
Steps To Reproduce
Navigate to:
http://localhost:4180
Sign in:
Error:
Possible Solutions
No response
Configuration details or additional information
Blog post: https://rob-ferguson.me/add-authn-to-hapi-fhir-with-oauth2-proxy-nginx-and-keycloak-part-2/
Sample project: https://github.com/Robinyo/hapi-fhir-au