1

I configured OAuth2 Proxy as a sidecar container to an external facing application that is hosted at https://my-domain.com/subpath.

OAuth2 Proxy's default provider button (see green button below) is redirecting me to https://my-domain.com/oauth2 instead of https://my-domain.com/subpath/oauth2 when clicking "Sign in".

When setting --skip-provider-button=false I can partially make my setup work because I am immediately getting redirected to my IDP without having to interfere with OAuth2 templates. But this is kind of hacky e.g. when my CSRF token expires, I still want to be able to navigate to the correct URL by clicking the button below.

So how can I make all my OAuth2 Proxy's template buttons (e.g. Sign in) work?

green template buttons redirecting to /oauth2

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header 'X-Forwarded-Uri' $request_uri;
       proxy_set_header 'X-Auth-Request-Redirect' $request_uri;
spec:
  rules:
    - host: my-domain.com
      http:
        paths:
          - path: /subpath(/|$)(.*)
            pathType: Prefix
            backend:
              service:
                name: service
                port:
                  name: http
---
apiVersion: v1
kind: Service
metadata:    
  name: service
spec: 
  ports:
    - name: http
      port: 8080
      protocol: TCP
      targetPort: http  
  selector:
    select: deployment
  type: ClusterIP
---
# sidecar in deployment:
[...]
containers:
  - name: app
    image: nodered/node-red
    ports:
    - containerPort: 1880
      protocol: TCP
      name: http-intern
    resources: {}
  - name: oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
    args:
    - --client-id=xxx
    - --client-secret=xxx
    - --cookie-secret=xxx
    - --http-address=0.0.0.0:8809
    - --cookie-domain=my-domain.com
    #- --proxy-prefix=/oauth2
    - --cookie-httponly=true
    - --cookie-name=xxx.token
    - --cookie-samesite=lax
    - --cookie-secure=true
    - --oidc-issuer-url=https://xxx/auth/realms/xxx
    - --provider=oidc
    - --redirect-url=https://my-domain.com/subpath/oauth2/callback
    - --request-logging
    - --reverse-proxy=true
    - --upstream=http://127.0.0.1:1880
    - --skip-provider-button=true
    - --session-cookie-minimal=true
    - --silence-ping-logging=true
    - --whitelist-domain=my-domain.com
    - --email-domain=*
    ports:
    - containerPort: 8809
      protocol: TCP
      name: http
    resources: {}
[...]

I know that the OAuth2 Proxy templates take --proxy-prefix into account, but I couldn't make it work smoothly. I think this is a common requirement and I wonder what I am doing wrong.

Sources:

Yannic Hamann
  • 4,655
  • 32
  • 50

0 Answers0