[AuthFailure] Invalid authentication via OAuth2: unauthorized

[diyaachar]

Hi,

We are trying to do group authentication with keycloak via oauth2_proxy. We have multiple groups configured in keycloak and the expected behavior would be to give access to different tools via different groups.

Our configuration:

    - --http-address=0.0.0.0:4180
    - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
    - --client-id=test
    - --client-secret=<secret>
    - --login-url=https://xxx/auth/realms/realm-name/protocol/openid-connect/auth
    - --provider=keycloak
    - --provider-display-name=Login
    - --redeem-url=https://xxx/auth/realms/realm-name/protocol/openid-connect/token
    - --set-xauthrequest=true
    - --email-domain=*
    - --cookie-secure=false
    - --validate-url=https://xxx/auth/realms/realm-name/protocol/openid-connect/userinfo
    - --keycloak-group=/nexus
    - --keycloak-group=/jenkins
    - --keycloak-group=/sonar
    - --redirect-url=https://xxx/oauth2/callback
    - --oidc-issuer-url=https://xxx/auth/realms/realm-name
    - --insecure-oidc-allow-unverified-email=true
    - --email-domain=example.com
    - --pass-user-headers=true
    - --cookie-name=testcookie
    - --cookie-secret=testcookiesecretkey
    - --pass-access-token=true
    - --pass-user-headers=true
    - --pass-authorization-header=true

Expected Behavior

1. If the user is present in "jenkins" group, then the user should be allowed to access the tool. If not, he/she should be given access to the tool.
2. It should allow the same access for the other tools, sonar and nexus.

Current Behavior

1. Access granting and restriction is only working for the group which is listed in the bottom (in this case "sonar" group)
2. If we change the other in which the groups are listed, it is working for whichever is at the bottom. (in case I put "jenkins" at the bottom, then I get access to "jenkins", and "sonar" users can not get access. Neither can "nexus" users)
3. We are getting the following errors in the logs:

2020/10/05 13:58:12] [requests.go:25] 200 GET https://xxx/auth/realms/realm-name/protocol/openid-connect/userinfo {"sub":"","email_verified":false,"name":"Sunny","groups":["/jenkins"],"preferred_username":"sunny","given_name":"sunny","family_name":"N","email":"sunny@example.com"}
[2020/10/05 13:58:12] [keycloak.go:80] group not found, access denied
100.100.1.38 - - [2020/10/05 13:58:12] [AuthFailure] Invalid authentication via OAuth2: unauthorized

In the browser, we are getting 403 Permission denied error

Your Environment

We are running this on kubernetes platform with the following tools and versions

1. Nginx ingress - v0.34.1
2. Keycloak - 10.0.0
3. OAuth2_Proxy - 5.1.0

Thanks for your time in advance!!

[JoelSpeed]

Seems the provider does only actually support one group

oauth2-proxy/providers/keycloak.go

Lines 62 to 64 in f705d2b

	func (p *KeycloakProvider) SetGroup(group string) {
	p.Group = group
	}

@NickMeves has been doing some work to unify how groups are handled across providers recently, I wonder if he'd noticed this already? Or has any ideas about how we can fix this by aligning with other providers?

[NickMeves]

Yeah - that one caught my eye.

Once this precursor PR merges: #797

I want to work with the contributor of an inflight Keycloak authZ PR to take a look at sprucing that provider up to get it aligned with our streamlined interface: #767

[diyaachar]

@JoelSpeed and @NickMeves , Thank you for your responses!!

Could you please let me know when this will be resolved?

And also, let me know if you think that I can use the "--keycloak-roles" option for my scenario, as an alternative??

Thanks again!! :D

Regards,
Divya

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[diyaachar]

Hi guys,

Could you please provide some updates on this issue?

And also, I have observed that the 6.x.x release has removed the options "--allowed-group" (for OIDC provider), "--oidc-groups-claim" and the "--keycloak-group" (for keycloak provider) removed from the documentation. Will they be added in the next release??

Thanks in advance!

[JoelSpeed]

All of this stuff was never meant to be in the 6.x.x docs. It will be available from the next release 😄

If you look at the top right of the docs site it should have a drop down that allows you to select between the current and "Next" docs. All the new options should show up in those "Next" docs

[diyaachar]

@JoelSpeed Thanks for your quick response! :D

So, from what I understand, the "--keycloak-group", "--allowed-group" and "--oidc-groups-claim" options will not be available from the next release??

[JoelSpeed]

Yes, these should be available in v7.0.0 which is coming mid-late Jan according to the current schedule

[diyaachar]

Thanks for the update @JoelSpeed :D we are looking forward to try the new version out!

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.