Unable to find a valid CSRF token. Version 7.4.x (latest)

[william-bohannan]

Expected Behavior

Looking for a 200 response after a successful login

Current Behavior

Getting a 403 response: "Unable to find a valid CSRF token" and in Nginx logs: AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie

Possible Solution

Have read the manual, logs, looked online, tried secure / insecure and all the options in oauth2-proxy, nothing seems to fix it.

Steps to Reproduce (for bugs)

happens every time i try (with below configurations / run command).

Context

Very new with oauth2-proxy,

Your Environment

• Ubuntu 22.04
• Oauth2-Proxy Version used: v7@latest, installed today

Oauth2 Proxy

/root/go/bin/oauth2-proxy
--email-domain=*
--skip-provider-button=true
--cookie-samesite=lax
--cookie-secret=changeme=
--cookie-secure=false
--provider=github
--reverse-proxy=true
--footer=-
--banner=-
--client-id=changeme
--client-secret=changeme
--scope=read
--redirect-url=https://oauth2.example.com/oauth2/callback

Nginx

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name status.example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

root /data/web/status.example.com/html;
index index.html index.htm index.php;

location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Real-IP               $remote_addr;
    proxy_set_header X-Scheme                $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
    # or, if you are handling multiple domains:
    # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
}

location /oauth2/auth {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Scheme         $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length   "";
    proxy_pass_request_body           off;
}

location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;

    # pass information via X-User and X-Email headers to backend,
    # requires running with --set-xauthrequest flag
    auth_request_set $user   $upstream_http_x_auth_request_user;
    auth_request_set $email  $upstream_http_x_auth_request_email;
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

    # if you enabled --pass-access-token, this will pass the token to the backend
    auth_request_set $token  $upstream_http_x_auth_request_access_token;
    proxy_set_header X-Access-Token $token;

    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }

    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;
        add_header Set-Cookie $auth_cookie_name_1;
    }

    try_files $uri $uri.html $uri/ @extensionless-php;
    # auth_basic           "RMN Members";
    # auth_basic_user_file /data/web/status.rainbowmobilenetworks.com/.htpasswd; 
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
}

location @extensionless-php {
    rewrite ^(.*)$ $1.php last;
}

location ~ /\.ht {
    deny all;
}    

}

[william-bohannan]

resolved...

/root/go/bin/oauth2-proxy
--redirect-url=https://hidden/oauth2/callback
--client-id=hidden
--client-secret=hidden
--cookie-secret=hidden =
--provider=github
--scope "user:email"
--email-domain=*
--skip-provider-button=true
--session-store-type=cookie
--cookie-samesite=lax
--cookie-secure=false
--reverse-proxy=true
--footer=-
--banner=-
--pass-access-token=true
--pass-authorization-header=true
--cookie-csrf-per-request=true
--cookie-csrf-expire=5m
--cookie-refresh=5m
--set-xauthrequest=true
--set-authorization-header=false
--skip-auth-preflight=true

[Abhishek627]

--cookie-csrf-per-request=true
--cookie-csrf-expire=5m
Is it resolved by using these flags @william-bohannan ?

[william-bohannan]

Hi @Abhishek627, yes i think it was those two options. now moving onto multi-domain scenario.

[rshiva777]

@william-bohannan ,
I have added the parameters that are mentioned, but i see an error in the logs:
Error: AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie

172.17.0.1 - c3c97ea9-c841-4362-9a24-0a2b59e6a132 - - [2023/01/05 14:43:54] 172.17.0.13:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000
172.17.0.1 - e0911746-a16c-4dd5-8b30-8d711fba4c14 - - [2023/01/05 14:43:54] 172.17.0.13:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000
[2023/01/05 14:43:58] [oauthproxy.go:816] &{GET /oauth2/callback?code=aef43545fd4f4fba2945&state=oojNlmUalE1IEw-j3tgMMrTuminC4w1tVVOAAckfBgs%3A%2F HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate] Accept-Language:[en-US,en;q=0.9] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36] X-Forwarded-For:[172.17.0.1] X-Forwarded-Host:[nginxnew.test.shiva.com] X-Forwarded-Port:[80] X-Forwarded-Proto:[http] X-Forwarded-Scheme:[http] X-Real-Ip:[172.17.0.1] X-Request-Id:[a666ef437dd95a946dd62fab4873f02a] X-Scheme:[http]] {} <nil> 0 [] false nginxnew.test.shiva.com map[code:[aef43545fd4f4fba2945] state:[oojNlmUalE1IEw-j3tgMMrTuminC4w1tVVOAAckfBgs:/]] map[] <nil> map[] 172.17.0.9:33238 /oauth2/callback?code=aef43545fd4f4fba2945&state=oojNlmUalE1IEw-j3tgMMrTuminC4w1tVVOAAckfBgs%3A%2F <nil> <nil> <nil> 0xc0000a9230} **AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie**

172.17.0.1 - a666ef437dd95a946dd62fab4873f02a - - [2023/01/05 14:43:58] nginxnew.test.shiva.com GET - "/oauth2/callback?code=aef43545fd4f4fba2945&state=oojNlmUalE1IEw-j3tgMMrTuminC4w1tVVOAAckfBgs%3A%2F" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" 403 2650 0.002



172.17.0.1 - 3b40ed84-c295-4bca-81b7-6bbdddec4356 - - [2023/01/05 14:44:04] 172.17.0.13:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000

And on the webpage getting the below error

args used:
- --http-address=0.0.0.0:4180
- --https-address=0.0.0.0:4443
- --metrics-address=0.0.0.0:44180
- --email-domain=*
- --provider=github
- --redirect-url=http://nginxnew.test.shiva.com/oauth2/callback
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
- --reverse-proxy=true
- --set-xauthrequest=true
- --set-authorization-header=false
- --cookie-csrf-per-request=true
- --cookie-csrf-expire=5m
- --cookie-samesite=lax
- --pass-access-token=true
- --pass-authorization-header=true
- --cookie-refresh=5m
- --scope="user:email"
- --skip-provider-button=true
- --session-store-type=cookie
- --cookie-samesite=lax
- --footer=-
- --banner=-
- --skip-auth-preflight=true
- --cookie-domain=.test.shiva.com
- --whitelist-domain=.test.shiva.com

[rshiva777]

In the above case i didnt add --cookie-secure=false parameter to oauth2-proxy.

If i add --cookie-secure=false parameter, i am getting the below error during login
Error: Error creating session during OAuth2 callback: unexpected status "404": {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}

7.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" 302 306 0.000
172.17.0.1 - 901baa63-0fd3-4ce4-8f1e-5eef22c2dd0c - - [2023/01/05 14:47:22] 172.17.0.7:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000
172.17.0.1 - 555e9cdc-71bd-4140-abd8-8aa1ec2bc93f - - [2023/01/05 14:47:22] 172.17.0.7:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000
[2023/01/05 14:47:28] [oauthproxy.go:830] Error creating session during OAuth2 callback: unexpected status "404": {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}
172.17.0.1 - 77fab05a5eb4a965484e2d49f4e863fd - - [2023/01/05 14:47:25] nginxnew.test.shiva.com GET - "/oauth2/callback?code=95d1d4be278e46bbb499&state=HZn_2fKcFbZaUcTYw0xJXZFGhyfwyhcouKH1bQPfTzs%3A%2F" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" 500 2691 2.837
172.17.0.1 - 40f10d1d-8f8c-4c66-8386-f210313a0836 - - [2023/01/05 14:47:32] 172.17.0.7:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.23" 200 2 0.000

Getting below error on webpage

[miguelborges99]

@rshiva777 Maybe your issue is related to #1724, see this comment.
You are using a config file,

- --config=/etc/oauth2_proxy/oauth2_proxy.cfg

I think you need to add this entry in the oauth2_proxy.cfg

scope = "user:email"

I also notice that you are using an HTTP (and not a HTTPS, I advise you to use this more secure option) URL in the redirect_url,

- --redirect-url=http://oauth2.test.shiva.com/oauth2/callback

so, with HTTP this will only work with option,

-- -cookie-secure=false

[miguelborges99]

Please, close this issue if it is no longer a topic

[aaktaev]

This issue is also reproducible with keycloak-oidc (oauth2-proxy v.7.4.0):

OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_PROVIDER=keycloak-oidc
OAUTH2_PROXY_REDIRECT_URL=https://app.com/oauth2/callback
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:3000
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_PASS_USER_HEADERS=true
OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
OAUTH2_PROXY_UPSTREAMS=http://localhost:4000/
OAUTH2_PROXY_LOGIN_URL=https://domain.com/auth/realms/ldap/protocol/openid-connect/auth
OAUTH2_PROXY_COOKIE_SECRET=SECRET
OAUTH2_PROXY_COOKIE_SECURE=false
OAUTH2_PROXY_CLIENT_ID=client_id
OAUTH2_PROXY_CLIENT_SECRET=client_secret
OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_OIDC_ISSUER_URL=https://domain.com/auth/realms/ldap
OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
OAUTH2_PROXY_VALIDATE_URL=https://domain.com/auth/realms/ldap/protocol/openid-connect/userinfo
OAUTH2_PROXY_REDEEM_URL=https://domain.com/auth/realms/ldap/protocol/openid-connect/token

logs:

[2023/01/23 16:36:13] [oauthproxy.go:816] &{GET /oauth2/callback?state=5QVK7sI7CD3XqxbxPDF8ZMsqJo3GFpXYg1MsN3ZkBOQ%3A%2F&session_state=6d2f3bdb-153f-42a5-b4de-637db00e3f53&code=83a7dd4d-ca47-469e-94d0-125f72b0f340.6d2f3bdb-153f-42a5-b4de-637db00e3f53.3d1f8fb1d754417e8c754d5a616bca14 HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9] Sec-Ch-Ua:["Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:["macOS"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36] X-Forwarded-For:[10.116.2.1] X-Forwarded-Host:[app.com] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Scheme:[https] X-Forwarded-Uri:[/oauth2/callback?state=5QVK7sI7CD3XqxbxPDF8ZMsqJo3GFpXYg1MsN3ZkBOQ%3A%2F&session_state=6d2f3bdb-153f-42a5-b4de-637db00e3f53&code=83a7dd4d-ca47-469e-94d0-125f72b0f340.6d2f3bdb-153f-42a5-b4de-637db00e3f53.3d1f8fb1d754417e8c754d5a616bca14] X-Real-Ip:[10.116.2.1] X-Request-Id:[e4b55e287afb82f25e7c4537c88b0509] X-Scheme:[https]] {} <nil> 0 [] false app.com map[code:[83a7dd4d-ca47-469e-94d0-125f72b0f340.6d2f3bdb-153f-42a5-b4de-637db00e3f53.3d1f8fb1d754417e8c754d5a616bca14] session_state:[6d2f3bdb-153f-42a5-b4de-637db00e3f53] state:[5QVK7sI7CD3XqxbxPDF8ZMsqJo3GFpXYg1MsN3ZkBOQ:/]] map[] <nil> map[] 10.116.2.4:55098 /oauth2/callback?state=5QVK7sI7CD3XqxbxPDF8ZMsqJo3GFpXYg1MsN3ZkBOQ%3A%2F&session_state=6d2f3bdb-153f-42a5-b4de-637db00e3f53&code=83a7dd4d-ca47-469e-94d0-125f72b0f340.6d2f3bdb-153f-42a5-b4de-637db00e3f53.3d1f8fb1d754417e8c754d5a616bca14 <nil> <nil> <nil> 0xc0000abec0} AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie

[miguelborges99]

Usually this type of issues occur when users setup a bad cookie configuration, or cookie is being filtered by proxies.
Check in the browser development tools, where did you lost the CSRF cookie.
I see that you have https redirect URL and you have a cookie_secure equal to false, most probably it should be true.

[aaktaev]

Checked with OAUTH2_PROXY_COOKIE_SECURE=true - the result is the same.

[miguelborges99]

The CSRF cookie is created before oauth2-proxy redirects the user to a page where user has to login, after that your authentication server calls your callback endpoint and the CSRF cookie must also be sent.

If the CSRF cookie is not present in the callback, then the error that you describe is shown.
You have to investigate using the browser development tools where CSRF cookie is lost, and the reason why your network is rejecting it.
You can also try to use the options:

--cookie-csrf-per-request=true
--cookie-csrf-expire=5m

In case, you are doing parallel authentication requests.

The CSRF cookie is described in OAuth2 RFC 6749 (https://www.rfc-editor.org/rfc/rfc6749#page-59), so its something standard in the authentication process.

[aaktaev]

I need to use the existing session. These values are not working too:

--cookie-csrf-per-request=true
--cookie-csrf-expire=5m

[aaktaev]

I have a next architecture:

Frontend service, which authenticating user via keycloak. Frontend (lets call it UI) also has endpoint, which routes to some service, f.e. app.com.

app.com :

deployment with two containers: (oauth2-proxy, and nginx ) and ingress for it. Oauth2 checks if user logined, if yes then it should route to the upstream , it is nginx, which redirects to https://test.com and adds BASIC AUTH HEADER with creds .

Direct call to app.com - works fine, it asks to enter user name and passed to auth via keycloak, and then successfully redirects to https://test.com

[miguelborges99]

Sorry, I got confused by your explanation. Maybe it is better to do a diagram...
My guess is that your CSRF cookie is lost in all these redirects, or the cookie is being created in a domain which oauth2-proxy is not expecting... did you check that?

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[yousri-meftah]

can someone help me please ?? it still does not work for me , I tried all your solutions