1

I currently run a frontend with a backend api pool in my kubernetes. Both services are secured via an auth2-proxy. As for the frontend, the auth-workflow is done by users entering their credentials and every frontend - backend communication is secured, therefore.

Additionally, an automated service (CI/CD) must also connect to the API. I have read that oauth can also handle basic auth client username/secret authentication but I cannot get the flow to work. I have the credentials of my SSO provider and retrieve the access_token like this:

curl --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Basic user:secret(base64encoded)' --request POST https://sso.provider.com/as/token.oauth2\?'grant_type=client_credentials'

With my setup like:

api-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sd-ingress
  annotations:
    # nginx.ingress.kubernetes.io/auth-signin: https://example.net/oauth2/start?rd=$scheme://$host$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://example.net/oauth2/auth
    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"    
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/use-forwarded-headers: "false"
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    
spec:
  ingressClassName: nginx
  tls:
    - hosts:
      - example.com
  rules:
  - host: example.com
    http:
      paths:
      - path: /api(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: sd-svc
            port:
              number: 8080

oauth2-config.yaml (excerpt)

...
        args:
          - --skip-jwt-bearer-tokens=true
          - --show-debug-on-error=true
          - --http-address=0.0.0.0:4180
          - --provider=oidc
          - --oidc-issuer-url=https://sso.provider.com
          - --metrics-address=0.0.0.0:44180
          - --acr-values=gas:strong
          - --cookie-domain=example.net
          - --oidc-email-claim=sub
          - --whitelist-domain=.example.net
          - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name:  oauth2-secret
              key: client-id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name:  oauth2-secret
              key: client-secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name:  oauth2-secret
              key: cookie-secret
...

It does not work once curl-ing the api:

curl --location --request GET 'https://example.net/api/get_queue' --header 'Authorization: Bearer <Token>' --header 'Content-Type: application/json; charset=utf-8'

The oauth logs:

[2022/10/25 11:32:03] [jwt_session.go:51] Error retrieving session from token in Authorization header: no valid bearer token found in authorization header

-- Version used: oauth2-proxy:v7.3.0

Bennimi
  • 416
  • 5
  • 14
  • Did you ever get this solved? I'm having the same issue. – zenalc Mar 21 '23 at 00:57
  • Sadly, no. It does not seem to be provided oofb. I am using a different route with basic auth in my kubernetes setup to make it work. – Bennimi Mar 21 '23 at 10:21

0 Answers0