Support for WebSockets

[andresmgot]

I am using oauth2_proxy and one of the connections open a WebSocket but I am not sure if that's supported. So far I have tried to disable the proxy for the specific URL that opens the websocket (-skip-auth-regex=/api/kube/.*) but with that I receive an error 403.

Expected Behavior

The server should receive the header Sec-WebSocket-Protocol with the bearer token and returns a 101 Connection upgrade response:

Current Behavior

With the set of flags I am using I am not receiving any response, the connection just hangs. These are the flags I am using:

        - --email-domain=*
        - --cookie-secure=false
        - --cookie-secret=<redacted>
        - --client-secret=<redacted>
        - --client-id=oidckube
        - --provider=oidc
        - --oidc-issuer-url=<redacted>
        - --ssl-insecure-skip-verify
        - --http-address=0.0.0.0:4180
        - --upstream=http://kubeapps/
        - --set-authorization-header
        - --pass-authorization-header

Then if I skip the auth for the URL of the websoket I receive a 403:

Possible Solution

I see that there are some PRs in the previous project to add support for WebSockets, like:
bitly/oauth2_proxy#554

They didn't got merged though.

Steps to Reproduce (for bugs)

1. Deploy oauth2_proxy with the flags above
2. Open a websocket:

    new WebSocket(
      "api/kube/apis/extensions/v1beta1/namespaces/default/deployments?watch=true&fieldSelector=metadata.name%3Dinconclusive-lake-wordpress",
      [
        "base64url.bearer.authorization.k8s.io." + token,
        "binary.k8s.io",
      ],
    );

Your Environment

I am using Keycloak as Identity Provider in a Kubernetes cluster (minikube).

• Version used: v3.1.0

Thanks in advance!

[ploxiln]

I noticed that go-1.12 will add WebSocket support to httputil.ReverseProxy (which oauth2_proxy uses)
https://tip.golang.org/doc/go1.12#net/http/httputil

[andresmgot]

Thanks for the response @ploxiln. I have built the oauth2_proxy image using golang:1.12-rc-stretch as base image but the result is the same. Is there something else that I can try?

[JoelSpeed]

@andresmgot Do you have time to try merging the changes from bitly/oauth2_proxy#554 into a branch and testing this with your setup?

[cbbba18]

Hi, I tried using bitly/oauth2_proxy#554 and got oauth2-proxy websockets working with a basic nodejs websocket connection successfully. Works great. But when I try with Jupyterlab (Tornado Server) I get "Error during WebSocket handshake: Unexpected response code: 500". Any ideas why tornado server in jupyter would have issue?

[ploxiln]

this feature was completed (a bit differently I think) and merged in #92

[gyson]

@cbbba18 I got similar issue. I made some investigation and made a fix at #112.

[JoelSpeed]

Is this issue now resolved? #92 and #112 should have fixed this and have been released?

[andresmgot]

Thank you all. Yes, this should be fixed now. I will reopen the issue if I find any other problem with that.

[ysaakpr]

I am not sure wether this is fixed or not. i was trying to proxy octant using latest 6.1.1 version oauth_proxy, and i ended up with the same error:

create websocket client {"err": "websocket: the client is not using the websocket protocol: 'upgrade' token not found in 'Connection' header"}

Is it really solved, or am i missing some config

    cookie_secure = false
    provider = "oidc"
    redirect_url = "https://localhost/oauth2/callback"
    oidc_issuer_url = "https://auth.example.com/"
    email_domains = [ "example.com" ]
    upstreams = [ "http://localhost:3309/" ]
    skip_provider_button =  true
    pass_access_token = true
    proxy_websockets = true