-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grafana auth proxy scenario not working for dashboard calls #266
Comments
I can confirm this happening with 4.0.0, but not with 3.2.0 - using GitLab (self hosted), not Keycloak. It seems that the token refresh doesn't work. Edit: I use the native oauth implementation in Grafana, but I've had the problem with graylog, karma, nzbget. Basically, anything doing ajax requests. |
I'm using here cookie store, which turned out to have problems with sending back _oauth2_proxy_x cookies in my setup (NGINX in auth request mode). From another thread, the issue goes:
So with working cookies the auth flow should never happen, because oauth2_proxy is replacing token silently. I just tested it with redis store and it works. So the original issue exists but with redis you should not see it until you are able to use refresh token. Can you confirm that you are using cookie store too? For redis testing I used: and add following to oauth2 settings:
|
I'm using docker swarm with containous/traefik in front of oauth2_proxy. No credential store. This is the relevant part of the compose file: version: "3.7"
services:
oauth:
# image: quay.io/pusher/oauth2_proxy:v3.2.0
image: quay.io/pusher/oauth2_proxy:latest
networks:
- oauth
- oauth-web
deploy:
restart_policy:
delay: 5s
labels:
ai.ix.auto-update: 'true'
ai.ix.expose: 'true'
ai.ix.fqdn: ${FQDN_OAUTH?err}
traefik.enable: 'true'
traefik.docker.network: oauth-web
traefik.http.routers.__STACK_NAME__-http.middlewares: default-http@file
traefik.http.routers.__STACK_NAME__-http.entrypoints: http
traefik.http.routers.__STACK_NAME__.entrypoints: https
traefik.http.routers.__STACK_NAME__.middlewares: default-https@file
traefik.http.routers.__STACK_NAME__.tls.certResolver: 'default'
traefik.http.routers.__STACK_NAME__.service: __STACK_NAME__@docker
traefik.http.services.__STACK_NAME__.loadbalancer.server.port: '4180'
environment:
OAUTH2_PROXY_CLIENT_ID: '${CLIENT_ID?err}'
OAUTH2_PROXY_CLIENT_SECRET: '${CLIENT_SECRET?err}'
OAUTH2_PROXY_COOKIE_SECRET: '${COOKIE_SECRET?err}'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
OAUTH2_PROXY_COOKIE_DOMAIN: '${UPSTREAM_COOKIE_DOMAIN?err}'
OAUTH2_PROXY_COOKIE_SECURE: 'true'
OAUTH2_PROXY_COOKIE_REFRESH: '10m'
OAUTH2_PROXY_EMAIL_DOMAINS: '*'
OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
OAUTH2_PROXY_FOOTER: '-'
OAUTH2_PROXY_PROVIDER: 'gitlab'
# OAUTH2_PROXY_LOGIN_URL: 'https://${FQDN_GIT?err}/oauth/authorize'
# OAUTH2_PROXY_REDEEM_URL: 'https://${FQDN_GIT?err}/oauth/token'
# OAUTH2_PROXY_VALIDATE_URL: 'https://${FQDN_GIT?err}/api/v4/user'
# OAUTH2_PROXY_REDIRECT_URL: 'https://${FQDN_OAUTH?err}'
OAUTH2_PROXY_OIDC_ISSUER_URL: 'https://${FQDN_GIT?err}'
command:
- -upstream=http://${UPSTREAM_SERVICE?err}:${UPSTREAM_PORT?err}
networks:
oauth-web:
external: true
oauth:
driver: overlay
driver_opts:
encrypted: 'true'
internal: true I've already tried with different OAUTH2_PROXY_COOKIE_REFRESH times. The commented out parts are what I use (successfully) with oauth2_proxy v3.2.0 |
By default oauth2_proxy uses cookie store, which is your case too. You need to switch to redis and you should not see this problem (see https://pusher.github.io/oauth2_proxy/configuration/sessions). But I still think there is some problem with state setting. |
From the log:
Now, this was tested with: command:
- --upstream=http://${UPSTREAM_SERVICE?err}:${UPSTREAM_PORT?err}
- --session-store-type=redis
- --redis-connection-url=redis://tasks.redis_redis:6379 The above error appeared exactly 2 minutes in. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
I'm using oauth2_proxy to protect Grafana. Basic flows are working, I'm redirected to IdP (Keycloak) and then logged in as my user. I have a problem with dashboards which are triggering requests towards /api/ and those are failing after token/cookie is expired. After refresh it starts working again for the time of token expiration.
Expected Behavior
All the browser side requests should follow OIDC flow and be authenticated as long as session on Keycloak side is valid. Tokens should be refreshed.
Current Behavior
Grafana UI requests only works as long as token is valid and it is not refreshed.
Possible Solution
Check out logs/flow below. The thing that seems to be not ok (although not sure if this is the whole problem) is that request path is passed as state:
while
by the way I'm using
because Grafana is passing query parameters there and I guess it could break things having extra parameters in OIDC flow which might be something to be fixed too.
Steps to Reproduce (for bugs)
Browser:
Oauth2_proxy logs:
Browser:
Oauth2_proxy logs:
Context
Grafana auth proxy configuration on kubernetes cluster. I'm using ingress controller auth module to do redirects to oauth2_proxy.
Your Environment
kubernetes cluster, with nginx-ingress-controller:0.21.0-
oauth2_proxy.cfg:
upstreams = [ "file:///dev/null" ]
cookie_expire = "168h"
cookie_refresh = "30s"
cookie_httponly = false
cookie_secure = false
tried setting cookie_domain, but it didn't helped.
Seem to be similar to #29 but I'm getting set-cookie headers so I guess it is not it, but the flow of problem is the same.
The text was updated successfully, but these errors were encountered: