-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I can't get Authorization: Bearer <token> to work with version 6.1.1 . It works with 5.1.1 #773
Comments
Hmmm, 6.1.1 is working fine for me with bearer headers. Some things I potentially see missing in your configuration that might be the source of your issue: Even though you don't use it (since you want bearer header auth). You'll need a Hopefully that helps -- I can't fully visualize your architecture or how you get the IDToken you send in the bearer header, but those are the settings I use to send IDTokens in bearer headers. |
Hi, Thannks for looking into this. I did pass client and cookie secret via kubernetes secrets I did not realize this was not clear. |
I ran in the same issue using oidc as a provider. IdP is an internal hosted keycloak instance.
Do you refer to the id or access token? Once I try to send a previously retrieved access or ID token as "Authorization: Bearer $token" I get: The access token has the following The ID token has the following |
I'm having basically the same problem. Config works in v6.0.0 and doesn't after v6.1.0.
V6.1.0 and above give me the following output, while v6.0.0 to v5.1.0 work
|
Hmmm - there might be odd interactions with non-oidc I'll need to dig, I believe that is ahead in the middleware chain before the generic extra JWT handlers (that assume OIDC and look for Thanks for the details! |
Can also confirm I'm seeing the same issue where |
I have a theory what's happening: Because oauth2-proxy/pkg/validation/options.go Line 78 in 4a54c94
This results in oauth2-proxy/pkg/validation/options.go Line 145 in 4a54c94
If that's the case, the first provider in the chain is Keycloak's Line 237 in d9c141a
Which isn't implemented. As a workaround you can set the OIDC details you want to use to validate your sessions Long term, a Keycloak user will need to implement oauth2-proxy/providers/provider_default.go Line 120 in d9c141a
CC: @JoelSpeed - In case you have any other thoughts since you spearheaded the middlware auth chain refactor. |
Long term I have this as a vision for Bearer auth to avoid issues like this: #835 |
I think the unifying point in all these cases is they have |
I can confirm I got |
I wonder if instead of ensuring providers implement Ultimately I think we want to support multiple providers and ensure that each provider has their own ability to create a session from a header token. Then users could access all of the provider options for the provider and we could potentially make these token only as well. I think we need some deeper thought about this feature as it's been mentioned a lot recently. |
Fixed in #869 |
I really want to swap out keycloak-gatekeeper/louketo-proxy for something that actually is maintained, but I can't get oauth2-proxy to work with Kubernetes Dashboard, which is blocking this transition. Now that v7.0.0 is out, which contains #869, I still cannot get oauth2-proxy to pass the authorization bearer. Could very well be that I'm doing something wrong. This is my config:
I randomly changed Am I missing something? Or is it still broken? |
@harshitmahapatra could you provide us which urls you used? I struggle a lot because I don't know what I should put in When I don't use the below is my config what I'm currently running. config: command:
- --provider=oidc
- --client-id=CLIENT_ID
- --client-secret=CLIENT_SECRET
- --oidc-issuer-url=https://auth.domain.tld/auth/realms/MY_REALM
- --login-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/auth
- --redeem-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/token
- --profile-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/userinfo
- --validate-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/userinfo
- --keycloak-group=/admin
- --pass-basic-auth=false
- --pass-access-token=true
- --set-xauthrequest=true
- --set-authorization-header=true
- --pass-authorization-header=true
- --skip-provider-button=true
- --skip-auth-preflight=true
- --pass-host-header=true
- --skip-jwt-bearer-tokens=true
- --oidc-jwks-url=https://auth.domain.tld/auth/realms/MY_REALM/protocol/openid-connect/certs
- --extra-jwt-issuers=https://auth.domain.tld/auth/realms/MY_REALM When I switch to version 6.1.1 I'll get without
EDIT: // |
@Electrofenster I dont get it how did you make it work with these configurations. {
"exp": 1634065121,
"iat": 1634029121,
"jti": "xxxxxx",
"iss": "https://myauth.domain.com/auth/realms/master",
"sub": "880628fa-70fa-4dd6-a1d0-7f2169f45613",
"typ": "Bearer",
"azp": "my.domain.com",
"session_state": "3ade821d-374f-48d7-94c5-d82c78e3fbe5",
"acr": "1",
"allowed-origins": [
"https://my.domain.com"
],
"scope": "openid email profile",
"sid": "3ade821d-374f-48d7-94c5-d82c78e3fbe5",
"email_verified": true,
"name": "My Name",
"preferred_username": "my_username",
"given_name": "name ",
"family_name": "surname",
"email": "name.surname@email.com"
} when I set it as you did I get the following error
when I changed to
then I get the following error:
it is not clear to me why adding an already specified issuer to a list of |
did you get this working? |
@pavan-pn as it's a very long time ago, I can't remember what I've done. But I switched to https://github.com/travisghansen/external-auth-server because with oauth2-proxy it's not possible to check on every request if an accessToken is valid or not. |
@Electrofenster Would the #1397 PR meet your needs ? |
Running into this with keycloak, everything latest and greatest:
snippit from kubernetes deployment:
Is the solution still to use extra-jwt-issuers? |
Came across a similar issue with the newest version but was able to work it out. (keycloak:17.0.1)
|
I attempted to use the spec @lasith011 posted above, but I sitll get the same error: |
I've tried for several hours to make it work without success.
I've used it with keycloak provider and oidc provider.
I've tested with echoserver to see the
Authorization: Bearer <>
header and no luck.I think it's broken.
I am working to configure authentication for kubernetes dashboard.
The text was updated successfully, but these errors were encountered: