0

I use Ingress Nginx in my kubernetes cluster. I use Keycloak to manage users and groups, and oauth2-proxy. I filter access to some resources like :

User must belong to group1 to access my.app.com/resources/group1/page.html

I'm able to enforce group checking with this ingress, works as expected :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/auth-url: "https://###/oauth2/auth?allowed_groups=group1"    
    nginx.ingress.kubernetes.io/auth-signin: "https://###/oauth2/start?rd=$escaped_request_uri"
  name: app
spec:
  ingressClassName: nginx
  rules:
  - host:###
    http:
      paths:
      - path: /resources/group1/(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: app
            port:
              number: 80

I would have to duplicate this ingress for every group, and for every new group added later... I'm looking for a way to input the group as a parameter from the path to auth-url. I tried :

 nginx.ingress.kubernetes.io/auth-url: "https://###/oauth2/auth?allowed_groups=$3"    
...
         path: /resources(/|$)((\w*)(/|$)(.*))

But when I inspect the requests sent to oauth2, allowed_groups is empty. Tried with $2,$3,$4... it seems I just can't use the regex in this annotation.

How can I do it ?

peppie
  • 35
  • 7

1 Answers1

0

In Keycloak Auth Provider by using the OAuth2 Proxy option --allowed-group flag, it is possible to specify which groups to limit the access for the authorization on group memberships.

Please create the required client scope groups by following the below steps to authorize Keycloak group membership with OAuth2 Proxy.

  • Create a new Client Scope with the name groups in Keycloak.
  • Include a mapper of type Group Membership.
  • Set the Token Claim Name to groups or customize by matching it to the --oidc-groups-claim option of OAuth2 Proxy.
  • If the Full group path option is selected, please include a "/" separator in the group names defined in the --allowed-group option of OAuth2 Proxy.

Example: "/groupname" or "/groupname/group1".

After creating the Client Scope named groups ,please attach it to the client as follows:

Clients -> <your client's id> -> Client scopes -> Add client scope -> Select groups and choose Optional.

This maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them.The OAuth2 Proxy option --allowed-group=/groupname will now allow to filter on group membership.

The above information is derived from the documentation.

Kiran Kotturi
  • 492
  • 6
  • Thanks for looking into this, although the Keycloak configuration is already working for me. I have the setting : `nginx.ingress.kubernetes.io/auth-url: "https://###/oauth2/auth?allowed_groups=group1"` working great for group1, but I want to avoid hard-coding the group name in the ingress rules. Right now, I have to duplicate this ingress for every group, I'm looking for a way to input allowed_groups depending on the requested url. – peppie Mar 17 '23 at 12:46
  • is your issue resolved? let me know if you need any additional help. – Kiran Kotturi Mar 27 '23 at 07:11
  • So far I haven't found any solution to use regex patterns in the auth-url parameter. My only work around is to duplicate my ingress resource and hard-code groups in the yaml files. – peppie Mar 27 '23 at 11:42
  • Instead of a value, can you please try as mentioned in this document https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints/#auth allowed_groups: comma separated list of allowed groups – Kiran Kotturi Mar 28 '23 at 12:44
  • Yes this is what I am doing currently and it works as expected. My issue is that I have a different ingress resource for each group, I'm trying to have only one ingress resource by passing the group as a parameter. I beleive the issue is more about nginx-ingress regex than keycloak actually. – peppie Mar 29 '23 at 13:22