Cookie "_oauth2_proxy" not present

[loispostula]

When setting --pass-authorization-header=true, The proxy returns an error 502 with the following message in the logs:
oauthproxy.go:764 redacted_ip:port ("redacted_ip") Cookie "_oauth2_proxy" not present

Here are the parameter pass to the proxy:

"--provider=oidc",
"--client-id=<redacted>",
"--client-secret=<redacted>",
"--redirect-url=https://target.my_organisation.com/oauth2/callback",
"--oidc-issuer-url=https://keycloak.my_organisation.com/auth/realms/master",
"--email-domain=my_organisation.com",
"--upstream=http://127.0.0.1:9090",
"--http-address=0.0.0.0:3000",
"--cookie-secret=<redacted>",
"--pass-authorization-header=true",
"--set-authorization-header=true",
"--cookie-domain=.my_organization.com",
"--cookie-secure=false"

I am trying to pass the authorization header to the kubernetes dashboard

[JoelSpeed]

Hi @loispostula,

Just a couple of thoughts on this. Does the error persist when you have --pass-authorization-header=false? What happens in this case?

Have you also tried --cookie-secure=true? I notice your redirect URL is on HTTPS so the cookie should be set to HTTPS also

[ap1969]

Hi,

I know this issue is old, but I'm seeing the same thing, so thought I'd:

A) Check if @loispostula got the issue resolved? And if so, can you share any details?

B) Provide some details for my own set up, where I'm trying pass the JWT from my OIDC provider to my upstream system.

I'm running oauth2_proxy on kubernetes, proxying requests to an Angular single-page app running in a different container based on the nginx:stable-alpine docker image.

I've tried a few setups, all of which correctly intercept the initial request, present the login page, redirect out to Auth0.com and return back to my URL. However:

WITHOUT AUTH HEADER, WITHOUT SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=false --cookie-secure false

This redirects to the upstream app, but there is no auth header. Cookie exists.

WITH AUTH HEADER, WITHOUT SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=true --cookie-secure false

This generates a 502 error. No cookie. Log entries are:

146.162.240.243 - - [02/May/2019:09:44:12 +0000] cp.dev.env.notifium.com GET - "/oauth2/callback?code=iQMzt5I1t75vxxx&state=xxxb97c24a6bcaf2136152131d1723%3A%2Fauth%2Flogin" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" 302 34 0.312
2019/05/02 09:44:13 oauthproxy.go:745: 167.99.86.85:35596 ("146.162.240.243") authentication complete Session{email:xxx@gmail.com user: token:true id_token:true expires:2019-05-03 09:44:12.936531323 +0000 UTC m=+86440.405422668}
2019/05/02 09:44:13 oauthproxy.go:796: 167.99.86.85:35640 ("146.162.240.243") Cookie "_oauth2_proxy_cp" not present

WITH AUTH HEADER, WITH SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=true --cookie-secure true

This generates a 502 error. No cookie. Log entries as above

WITHOUT AUTH HEADER, WITH SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=false --cookie-secure true

This redirects to app, but no auth header. Cookie exists.

Between each test, I'm clearing all cookies, and the _csrf cookie is set when I am directed to the login page.

I've also tried all the above 4 cases with --set-authorization-header=true, and they all go to 502 page.

Any help would be REALLY appreciated!

Regards,
Andy

[JoelSpeed]

Hi @ap1969, one thing I would recommend trying is to use the browser debug console to inspect the requests/responses from a login flow. One of the responses from the OAuth2 Proxy should have in it a set-cookie header. Check the domain that this is being set on, I suspect it is not the one you want!

You can set the cookie domain explicitly using the --cookie-domain flag 😀

[ap1969]

Hi Joel,
Thanks for getting back so quick.

I can see the set-cookie in the initial load when rendering the login page:

Set-Cookie: _oauth2_proxy_cp=; Path=/; Domain=cp.domain.com; Expires=Thu, 02 May 2019 10:37:16 GMT; Secure

Then on return to callback, there's an initial hit to /oauth2/callback, with a 308 redirect to what seems to the same URL, and that redirect has no set-cookie header.

Then the final /oauth2/callback request returns the 502 error, also with no set-cookie header.

Does that help?

Andy

[ap1969]

Hi Joel,
I've compiled a version of oauth2_proxy with some extra debugging lines in it, but I'm still stuck.

SaveSession() calls SetSessionCookie(), which is trying to write two cookies:

"_oauth2_proxy_0=eyJBY2Nlc3NUb2tlbiI6IjJIbVlsNG9tOVFWNGV0UzhkbjZMUDR2OUw3Q1hGTkpjaGZZSDFhRjllckV5UGcyNHNja0V3NWdwdzhnVlQzeUUiLCJJRFRva2VuIjoibG9aWlBnSFViU1NrTVJ3Wnd5dmcwK2h4UzA4SkJ2NEVYTEpzcnRXZTRUY01JdTF2SHlidW1JL0wyWlBreUR3THpHb2dpbExRaGFPWXZoWldETjlHSnpiOVh0dFByalJ1OFAxRDYyd2QwZ01XTlJPeU1YZkhMUkgzQVJYYzhEZDl2T1ptZUhxRzRONHRSRUNhSVVQRW9zU0p0QlFyallwbFNyTXdZNXR2VmZIRk9uTWJQYldEOGVYUGlBWGVLbm1OSk1oRFhSSkEzTTR2TnlxWlNCUTJmSlAwdnVjUTB4MmpxOUFnR1ZzT1lHMy9raW9XLzlFamQ0WmxQaWJMUEEyQVNkaHNmeFFOV1FnK1ZSN3VrWXBVempLU1FPOTJxSHhUMVBaTU5obzQzVWlqUUZWY01OYWx1bVpZYXBFVGNDRC9BdFc5dXp1Z294Q1B0QXBsTnBGK0V4Q3RQNTllU2N3YWVvRlZTaVlYTUxwTkdLTW51KzlyN1Flb2QxbGVGZUVnbDNHRUNXL3hWTVVNcGRVemVhQVpNWWN5TVNzT1ZORk56RlZWZFc2akQzM1kvTG1jUVpXVW5Rb0prRnhUaXFrUkVpZm8vR1V1RCsrTDd5TjdSRzFPY0tTUDhXbzI4dk1zd0NXdTMzY29sd3YveTdRL3JiUkNzL3hGR0RZSm1pN0lMOXZHdnI1aUl5RDRUclFReFRWa1NHdGpFK3dJekRrMzFsZHgvUUdHU1R0aXVxS1RyM2Q0N2dETXVHOTJoWUdTZisrMGQxZ28yRTVnS1RlZzFWb0NJcThld0svUDNIMlQvZWczbENwYVNNbitzQUJheWtVMEd2aHRrWmZXU20zRWhXTHN1WFd3c2k2V25zQUZDekt2RzNycWhZMTVkWFpyTWhoQ2N1OVVDVHRhY1cvWlZrMFQybXR4YmsyVFdkdzEvUmRCWEYxUWVnWkloWW1PTnVoZjdYdDk1dHE4NHBVYWM0SEZNK0lFWmJsN2l2NzZUYS9ORm9QTmwwYW8wSmttKzYxMDVranp1QnJMUnRjME9IZ3hZSXNHcmZtaHI3UHViU1EyU0VoVCsxanVsbGZwVFByUHNSaHNqallTQVhFYVlOT1RORnFZU1M3anBGakp6RFhrZ29tZ3o1cFlEbTlFY1RXcStlUlY3cUR2NGZUVEFYcVpXRWZpMHFOM3lmSUVMZGI3NlJFaWlrZ1Y4KzNzRWU1TU1wdEFlTWpiQXB0QXV0dXIzY1lZaDN6QzR3d3AwaGtxSUliUHpvQXZDRVNPTmNVTVBGMnZIY2grNnBRNUZVQU9EcHpTMndrNkFpMFUvbGx2Z004azNSa2prWWkwcmN1MkplMWhGZU5Oa1dzYU5OdDh2M0tzbXY5WUZFTjNxMUhoTXhZZWZUczBWOCtoWUpVZGdZalVhQnJHY20yT0xnTWZabXR5Q0RzRHhEb2RwYTRXM3l2SVBRcHNFYkR1cmgxMUoxZE5BejdXeWhtVGZTeENWNjVpL0hrRlViK0IzM0FNK0h6cHcwblF3cGtZTlVzVnFnZGliUEV2Vnp0ak5iZGpYMlF0WEhySzAyR2FyRzJBTDQwZEo2Ly8wK1FzbDlUMFF5T1pmRG9ZSDd5cjN5YlIxd1plbmFPT2ZFUG1pRjlCVXlhN2M2bnMvUmJ4bVhHTC9KbnJvdUZ3RmJyM2xIWVh5bnR3UDlBQU0rWStCaE5WTFJBRThSQzFuRDduSkZrM1lUckVBNHRLRFdYMElVM1FlRTZQdCtzWit6Q0k3aUNpcUNFYXlUNnJPbytUT1ZMcHNzYlZwaGpnY3BOeldk
MVhMZDJwTlE3L2lOd3I4Ky93MHdaMXZuc2U4Ykczd0R2Um1wWUZOVVJWZHphNkJxTVVRNXM1b1p5SndFYWpZdERhWEx5T09DN3ZLcThUTHNWSkE3Nk5mc1BnQmZjVEJyNk96NWVNbHp1VEo2eWxLK3FCQm9haEFpRFVMVHZsUkxKcnNUMDhSWm5EdElzSzVGVE90YXlLWHRvSWg2dzYyUVJZMkdkOEFKbDdPT01Gek9PcEl1bVdMc0JqbDVBWElzU1JuMDEyc00yRGpQeWVHYkM2OGNYUmtTR0UxS2xFMUlWb3Q4ajhDUUdOaVlpM0pBUWxGQ0FtNnZ0dUhpM2JXaUVMbk8yc08xSXhjRS9lVzlPS3MyY29odngzczdHbU04dHdMb21MZDh1ZDYrWjUvYklta09oQkN3cllTdFAyanNoVklpVnRMaHdhYzlrU241UmdUMmFDUks4RnZIaUsrWjRianlRZTBwUkVLQmNOaGxxdHQ2bktSVmlWMHE1R0lCSjFKOUtqelJZN1Y1Um9GcCsvN2RDdXh3VVhzTzBzem0yQjFIL25TOEtjOGZuTHRnaEx0U0J5NStWemZqcWFEbDRRMjkwckxmM0V4K3pWWjJpaG01VnpBNkdDT3dLVnRSRVdpUmJNWHZYR2dUaytkUGtsdkM4NFkrdlZCVTBwbUhJVUd4SERGM0JnVDdoZXB4QTh5emR2NGFKY3Z1Q3A0aGJUUVpndTFXazlpZHFWNWZCcHU0OVZsOTE3QUdwMlRTcy9LMnJEQkhMRmtndDdwRnRrSW9JVnV6K0RFczc3azBIN0ZqUGRwc0NNNURLc1dRYVBXb3NaZjhzT29SdjJrYSszUnJ4c01qWklvenhBNFc0eGxXSG9zVElUYVB6QjZUaXhyendGQk8raElHTkdGaGVXeWtzUnBtNGdXSjltUWVqQ3YyTy8vbXZBSG5CbmYrRVEwS3krS2J6OEo2MzZCQXp1NjZMdHY3WmRZdm5iN2lEK0FlemgvUFRSTU1aUnIxZlpRMVZ5NDQvdW9PN1dSWU1QT05Xa3VPcWlFVnhYL0JKV0JrREYySTRvbGRoUGo5SkFzY2taSERoYXlUMXVRWU42QTFadTlCeVpQWVFpN3YweXI3WEpOcVJueHJ6b01VclZIZ3doeUxMWFhwMVFEdVlPMmlSaSt1d3B3MXVpZDBhcWlLNlYvV2hTdm41YWppS2I3dEliSU91NHJrMEpYSHRZZmNqMWJPdFZkc1YwZTZ5QnVrOU5hWEJDVytITHVzdWNCYVVScGlVS2ZpL3BqOXlLdHRiRGlsREIyZE52UjErbzFveVdWdm5kSDdGa0FsZTM4eS9XWm9RUVN2clI5TDVmdjRLb0dZcHRYaW9POWhHajN2SnZkTmZOd1pxQmNjcTRZZWt3dWpXZEQ4Z3hSZ0RMOVZnZFA0aGhIYzNWVTBvNGxheEZzMHdNazl4VDVFY0xVSEtDY3JDZHlPS3ZzanUvQ1dIWk5Ma0lrZWJjdnF6MElpQWhmWklYTENEM1ZKQlRuaGZEa3NlamFqTEdiWHBSa0l0eGFtUjIxTjBlMDNhem50Z1NVSHZ5ZGJoSnFJMldHQlVXTG1CNzNidXRPZGlPZDY1WXRkTTZrYnlWeERJUE53UmhKOGJLMnJOaFRxUEM4R2p4aTRRM1Q0MUtBa3RnSk9vMWFCZWF4QndiL3QzS1gra0J2WXZwN2FPTkZGd1AzUU9nd2ozTUNhMlFLWGxncTd4RGpLdkNZbjdPR1dicG1vQ1J6UDFBOEhNaWkxMFgvRVdIZ08vRno5Q2NuV2p1aHF1Ty9ub2tGenI1UzNaWkhuRjFZZ1ZXZHBZN1doK3dwd2Y5aTFLN2JWNWhFVVBnelF5a1hNb0d0SW15cThO; Path=/; Expires=Fri, 10 May 2019 13:58:52 GMT"

and

"_oauth2_proxy_1=cUxzaHAyYmp5Sm8yanVCSnhUODNSVllZMnBVdll0dGY1RStWRmFNTGd3eEtKM3RjclY3R0JNeXMyZ2xXdFBBQ1doNytmWGFSR1lrQUF6S09YU2tOYmRPTlBsMzdzK3VBcWpPSm5xby9SV1Y1Nm5KZUhSZFhYM04xODk5bDhLWWZtb2k3Mkt1RXNtUk8yN1Rua2p3a2t5eHJSTTRIS1FDTXFad2l4VTAzck8rYXYvU2hLb0UrWFk1dEcvRzlRbEpLckY2bjM0clg1ZjBqU1J1VzZ4eU9VeEkyeWhaN24yMzNaTjJBUU01NnFpVVB2MjAxR3ZwQzltY1hRd1ZjSVVlN1JHWjhqcmhManYzNGorOWErMlpYOHNMaTBycWhtRFl2amIvRFZHeGdsT0hwWG1NUnFBWWhSMFQ3cXpHcUtqRU9makRKaXZoK294dlU1ZXFMN0k5UmwvbE5taThsMWZpaFBncEhlNFhwOERnaWNMWlNMeFc5clBmaU1SL2M3WWJxazl0K2FmN3hTNXMxWE1aSW9uQ0lwWmFOR3JzaGt4VFRPa2VLWXRqWDlERExGRmxaaVNES2lOK0NDNWdGRFRzVmc5UkswSkduUGRxL2ZEbXJDY043VlE5VmRnb1h1MXdmRTlDbEtGM3JqVVdZWlU0Szd6bUpyaVFFOE5QTFBtRnhUS29xRUxma0NBUnlXeUJ2cnM3MkRxcTF0RWdVR0xmRkVZajduUFI1Z1pQK2ExNGgyNTJKWVZadWcwUjBBWE1aY0VEcE5GK0ZhZ25kZlpJRXFxaTVzQkFhTVpXVEd4R3U1L3c9PSIsIkVtYWlsIjoiU2tQQ1JucGpmQ3Q0UWhUbjBxdkpOdmg1VWNnQ2ZMZlFBNVBxaUNrUm1PUy9UeVhsK050WVZhczVKZz09IiwiRXhwaXJlc09uIjoiMjAxOS0wNS0wNFQxMzo1ODo1Mi45Mzg2MjEyMjRaIn0=|1556891932|98JRJQmNFB2iwPZ3Tqh_X7EojtA=; Path=/; Expires=Fri, 10 May 2019 13:58:52 GMT"

However, neither of those actually seem to be set in the browser, which is odd as the next line in SetSessionCookie is http.SetCookie(rw, c), which should work just fine as it's the core http module, if I understand correctly (I'm new to Go).

And I'm definitely not able to find any set-cookie headers in the request to oauth2_proxy's /callback.

Any thoughts?

[ap1969]

OK, I'm making some progress. I see from the nginx conf example, when using --set-authorization-header flag, some provider's cookies can exceed the 4kb, so that explains the output in the code above.

However, I'm still not setting the cookie headers.

[JoelSpeed]

And I'm definitely not able to find any set-cookie headers in the request to oauth2_proxy's /callback.

Just to double check you mean the response here rather than the request? Do you have the --cookie-domain flag set? If not could you try it with this set?

Could you please also supply your complete configuration including the config file and flags? (redacting any sensitive information of course)

Could you also supply a snippet of the logs you get when you are trying this?

[JoelSpeed]

Could you also try running a build from the latest master please?

[frco9]

@ap1969 I had almost the same issue.
I'm using the oauth_proxy in a Kubernetes cluster, the issue was with the nginx-ingress-controller:

upstream sent too big header while reading response header from upstream, 

I just had to increase the buffer size : https://andrewlock.net/fixing-nginx-upstream-sent-too-big-header-error-when-running-an-ingress-controller-in-kubernetes/

[infinitydon]

@JoelSpeed - No matter the combination of settings that I do, I keep on getting " Error loading cookied session: Cookie "_oauth2_proxy" not present" persistently with 401 in Nginx ingress logs.

Configuration currently been used:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"   
  name: pages-test-ingress
spec:
  rules:
  - host: xxx-test.infra.xxx.eu
    http:
      paths:
      - backend:
          serviceName: nginx-pages
          servicePort: 80
        path: /
  tls:
  - hosts:
    - xxx-test.infra.xxx.eu
    secretName: pages-test-tls

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  annotations:
    kubernetes.io/ingress.class: nginx  
spec:
  rules:
  - host: xxx-test.infra.xxx.eu
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 4180
        path: /oauth2
  tls:
  - hosts:
    - xxx-test.infra.xxx.eu
    secretName: pages-test-tls

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: oauth2-proxy
  template:
    metadata:
      labels:
        k8s-app: oauth2-proxy
    spec:
      containers:
      - args:
        - --provider=gitlab
        - --email-domain=*
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - -cookie-domain=.xxx-test.infra.xxx.eu
        - -whitelist-domain=.xxx-test.infra.xxx.eu
        # Register a new application
        env:
        - name: OAUTH2_PROXY_REDIRECT_URL
          value: https://xxx-test.infra.xxx.eu/oauth2/auth
        - name: OAUTH2_PROXY_OIDC_ISSUER_URL
          value: REDACTED  
       #- name: OAUTH2_PROXY_PASS_ACCESS_TOKEN
       #  value: "true"
        - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
          value: "true"
       #- name: OAUTH2_PROXY_SET_AUTHREQUEST
       #  value: "true"              
       #- name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
       #  value: "true"                                                    
        - name: OAUTH2_PROXY_CLIENT_ID
          value: REDACTED
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: REDACTED
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: REDACTED        
        image: quay.io/pusher/oauth2_proxy:latest
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP

[ajcollett]

Edit: My issue is that I was using http but never set the OAUTH2_PROXY_COOKIE_SECURE=false. After doing this it worked.

I have now deployed this properly and it's working!

--- Original

Same as @infinitydon above, there is NO cookie when redirected back to the OAuth2_proxy.
I checked in the logs and "inspected" in the browser.

I am working with a self hosted GitLab instance, which seems like that might be the case with @infinitydon too.

I see the below in the logs:

[AuthFailure] Invalid authentication via OAuth2: unable too obtain CSRF cookie

What does that mean?

[ghostsquad]

@infinitydon why do some of the args you are passing to oauth2_proxy start with 2 hyphens, and others 1 hyphen?

- args:
        - --provider=gitlab
        - --email-domain=*
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - -cookie-domain=.xxx-test.infra.xxx.eu
        - -whitelist-domain=.xxx-test.infra.xxx.eu

According to the oauth2_proxy --help, all arguments use a single hyphen (-)

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.