I am a newbie sysadmin and have to work on an existing server infrastructure. Therefore, please excuse me in advance if this question is difficult to understand.
The setup consists of several servers running Docker containers and managed via Ansible. I use Ansible to enable SSO using Keycloak for several web apps on the same server. This is as easy as adding the following directive in the playbook:
auth_keycloak: yes
Let's say we have two SSO-enabled apps: app1.example.com app2.example.com
When connecting to app1.example.com, you will be redirected to auth.example.com, where Keycloak resides, and after successful authentication, you will be redirected again to app1.example.com and log in.
Authentication works fine for both apps separately. However, when you first authenticate for app1, and then you try app2, you will get:
We are sorry... Access denied to this client for this user. Please contact your system administrator.
If you delete the auth.example.com cookies and try again, it authenticates normally.
Given the above, does anyone have any idea where and what to look for to fix this?
I don't know where to start, but if it helps, here's what the oauth2-proxy configuration looks like:
# HTTP configuration
OAUTH2_PROXY_HTTP_ADDRESS: ":8080"
OAUTH2_PROXY_PROXY_PREFIX: "/{{ auth_keycloak_proxy_prefix }}"
OAUTH2_PROXY_REVERSE_PROXY: "true"
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: "false" # do not show sensitive debug messages to users on failure
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # skip dedicated login page
OAUTH2_PROXY_EMAIL_DOMAINS: "*" # allow all domains (authorization check is made at Keycloak, not here)
# Cookie configuration
OAUTH2_PROXY_COOKIE_EXPIRE: 2h0m0s
OAUTH2_PROXY_COOKIE_HTTPONLY: "true"
OAUTH2_PROXY_COOKIE_NAME: "__Host-oauth2_proxy"
OAUTH2_PROXY_COOKIE_REFRESH: "0"
OAUTH2_PROXY_COOKIE_SAMESITE: lax
OAUTH2_PROXY_COOKIE_SECRET: "{{ auth_keycloak_secrets.secrets.cookie_secret }}"
OAUTH2_PROXY_COOKIE_SECURE: "true"
OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST: "true"
OAUTH2_PROXY_COOKIE_CSRF_EXPIRE: "5m"
# Header configuration
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "false" # do not pass header with OAuth access token
OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: "false" # do not pass header with OIDC IDToken
OAUTH2_PROXY_PASS_USER_HEADERS: "true" # pass headers like User, Email, …
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true"
OAUTH2_PROXY_SET_XAUTHREQUEST: "true" # add headers with user info to response (to nginx)
# OIDC provider configuration
OAUTH2_PROXY_PROVIDER: keycloak-oidc
OAUTH2_PROXY_CLIENT_ID: "{{ auth_keycloak_client_id }}"
OAUTH2_PROXY_CLIENT_SECRET: "{{ auth_keycloak_secrets.secrets.client_secret }}"
OAUTH2_PROXY_REDIRECT_URL: "{{ auth_keycloak_redirect_uri }}"
OAUTH2_PROXY_OIDC_ISSUER_URL: "{{ auth_keycloak_server_base_uri }}"
OAUTH2_PROXY_ALLOWED_ROLE: "{{ auth_keycloak_client_id }}:restricted_access"
# Redis configuration
OAUTH2_PROXY_SESSION_STORE_TYPE: redis
OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis
