-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to find a valid CSRF token. Version 7.4.x (latest) #1937
Comments
resolved... /root/go/bin/oauth2-proxy |
--cookie-csrf-per-request=true |
Hi @Abhishek627, yes i think it was those two options. now moving onto multi-domain scenario. |
@william-bohannan ,
And on the webpage getting the below error args used: |
In the above case i didnt add --cookie-secure=false parameter to oauth2-proxy. If i add --cookie-secure=false parameter, i am getting the below error during login
|
@rshiva777 Maybe your issue is related to #1724, see this comment.
I think you need to add this entry in the oauth2_proxy.cfg
I also notice that you are using an HTTP (and not a HTTPS, I advise you to use this more secure option) URL in the redirect_url,
so, with HTTP this will only work with option,
|
Please, close this issue if it is no longer a topic |
This issue is also reproducible with keycloak-oidc (oauth2-proxy v.7.4.0):
logs:
|
Usually this type of issues occur when users setup a bad cookie configuration, or cookie is being filtered by proxies. |
Checked with |
The CSRF cookie is created before oauth2-proxy redirects the user to a page where user has to login, after that your authentication server calls your callback endpoint and the CSRF cookie must also be sent. If the CSRF cookie is not present in the callback, then the error that you describe is shown. --cookie-csrf-per-request=true In case, you are doing parallel authentication requests. The CSRF cookie is described in OAuth2 RFC 6749 (https://www.rfc-editor.org/rfc/rfc6749#page-59), so its something standard in the authentication process. |
I need to use the existing session. These values are not working too:
|
I have a next architecture: Frontend service, which authenticating user via keycloak. Frontend (lets call it UI) also has endpoint, which routes to some service, f.e. app.com. app.com : deployment with two containers: (oauth2-proxy, and nginx ) and ingress for it. Oauth2 checks if user logined, if yes then it should route to the upstream , it is nginx, which redirects to https://test.com and adds BASIC AUTH HEADER with creds . Direct call to app.com - works fine, it asks to enter user name and passed to auth via keycloak, and then successfully redirects to https://test.com |
Sorry, I got confused by your explanation. Maybe it is better to do a diagram... |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
can someone help me please ?? it still does not work for me , I tried all your solutions |
Expected Behavior
Looking for a 200 response after a successful login
Current Behavior
Getting a 403 response: "Unable to find a valid CSRF token" and in Nginx logs: AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie
Possible Solution
Have read the manual, logs, looked online, tried secure / insecure and all the options in oauth2-proxy, nothing seems to fix it.
Steps to Reproduce (for bugs)
happens every time i try (with below configurations / run command).
Context
Very new with oauth2-proxy,
Your Environment
Oauth2 Proxy
/root/go/bin/oauth2-proxy
--email-domain=*
--skip-provider-button=true
--cookie-samesite=lax
--cookie-secret=changeme=
--cookie-secure=false
--provider=github
--reverse-proxy=true
--footer=-
--banner=-
--client-id=changeme
--client-secret=changeme
--scope=read
--redirect-url=https://oauth2.example.com/oauth2/callback
Nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name status.example.com;
}
The text was updated successfully, but these errors were encountered: