Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe ingress setup for dynamic callback urls #109

Open
elsesiy opened this Issue Mar 20, 2019 · 14 comments

Comments

Projects
None yet
8 participants
@elsesiy
Copy link

elsesiy commented Mar 20, 2019

Hi @JoelSpeed,

I'm facing the same issue described in #12 and have been trying to get the described setup working but the redirect to the downstream ingress doesn't work. Do you have some more documentation on how this exactly should look like?

Here's what I did:

  1. Install the chart
helm install stable/oauth2-proxy --name login-oauth2-proxy \
    --namespace xyz \
    --set config.clientID="clientId" \
    --set config.clientSecret="clientSecret" \
    --set config.cookieSecret="cookieSecret" \
    --set extraArgs.provider="azure" \
    --set extraArgs.azure-tenant="tenantId" \
    --set extraArgs.whitelist-domain=".mydomain.com" \
    --tls
  1. Create the ingress for oauth2_proxy:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: login-ingress-oauth2
  namespace: xyz
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: login.mydomain.com
    http:
      paths:
      - backend:
          serviceName: login-oauth2-proxy
          servicePort: 80
        path: /oauth2
  tls:
  - hosts:
    - login.mydomain.com

By now browsing https://login.mydomain.com/oauth2/sign_in works as expected.

  1. Configure downstream ingress to use the oauth2_proxy:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myservice-ingress
  namespace: xyz
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://login.mydomain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://login.mydomain.com/oauth2/start?rd=service.cdhamap.com"
spec:
  rules:
  - host: service.cdhamap.com
    http:
      paths:
      - backend:
          serviceName: service-backend
          servicePort: 1337
        path: /
  tls:
  - hosts:
    - service.cdhamap.com

Browsing https://service.mydomain.com now correctly redirects me to the Microsoft Login but still shows https://login.mydomain.com/oauth2/callback as the redirect_uri which then after successful authentication falls back to default-backend.

What am I missing?

Thanks a lot!!

@r0fls

This comment has been minimized.

Copy link

r0fls commented Mar 26, 2019

I'm encountering the same problem, after successful oauth2 workflow the final URL is the oauth2-proxy URL, not the kubernetes dashboard ingress (trying to follow: https://thenewstack.io/single-sign-on-for-kubernetes-dashboard-experience/)

@maxh8086

This comment has been minimized.

Copy link

maxh8086 commented Mar 28, 2019

you need to publish dashboard service on http not on https, this is how it worked for me.. after going through lot of blogs and forum, what i understood is.. oauth2 proxy do not understand how to pass token via header when dashboard is using selfsign certificate... your upstream will be dashboard service url http://kubernetes-dashboard.kube-system.svc.cluster.local.. if you still wish to ssl your dashboard.. you may use san certificate for oauth2 and set them up on ingress level to handle it properly.

@okgolove

This comment has been minimized.

Copy link

okgolove commented Mar 31, 2019

Hello everyone! Have the same idea. I want to have a domain like oauth.example.com, not specified path (/oauth2) for every Ingress I want to auth using oauth.
A scheme is: Kibana (for example) ingress -> Oauth-proxy -> keycloak, successful auth -> oauth-proxy /oauth2/callback and in the end it redirects me to oauth.example.com with 404.

Tried to explore something about X-Auth-Request-Redirect, but it didn't help. The main idea to set up the final redirect to the service requested OAuth in the start (for my case this is Kibana).

@JoelSpeed

This comment has been minimized.

Copy link
Collaborator

JoelSpeed commented Apr 1, 2019

Hi @elsesiy, I've had a look through your config and have two suggestions that might help,

First off, make sure to set your cookie domain, it should be the parent domain off all subdomains you are protecting and I think it needs to include the OAuth2_Proxy as well, are your Authentication and protected service on the same parent domain? (eg foo.bar.example.com and baz.example.com share example.com as a parent so the cookie-domain=.example.com to allow the cookie to be read by them all)

Secondly, in your redirect, try adding the scheme to the beginning of the request, if you are https only then rd=https://$host$request_uri should suffice, else you can try rd=$scheme://$host$request_uri for mixed http/https (I haven't tested the latter btw)

Let me know how you get on! 😄

@elsesiy

This comment has been minimized.

Copy link
Author

elsesiy commented Apr 1, 2019

@JoelSpeed Works flawlessly now, thanks. The missing piece was the cookie-domain 👍 Do you think it makes sense to create a dedicated section in the docs on how to set this up?

@JoelSpeed

This comment has been minimized.

Copy link
Collaborator

JoelSpeed commented Apr 2, 2019

Do you think it makes sense to create a dedicated section in the docs on how to set this up?

It really really does, but sadly no one has had time to do so yet

@okgolove

This comment has been minimized.

Copy link

okgolove commented Apr 2, 2019

@elsesiy it would be great, if you were able to describe it!

@maxh8086

This comment has been minimized.

Copy link

maxh8086 commented Apr 2, 2019

i am also facing same challange, please let me know if there is any way available to add if(condition to ensure authentication is done) { rewrite URL} with below example to solve this

https://kubernetes.github.io/ingress-nginx/examples/rewrite/#examples

rather than nginx sidecar -

https://www.callumpember.com/Kubernetes-A-Single-OAuth2-Proxy-For-Multiple-Ingresses/

    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://oauth.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth.domain.com/oauth2/start?rd=/redirect/$http_host$request_uri$is_args$args"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      proxy_set_header Authorization $token;
      rewrite /redirect/?(.*) https://$1 break;

This is my non working setting, where i am looking for condition to confirm authentication before redirect. with above setting, it redirect before authentication itself.

Looking for : rewrite if(Authenticated) {/redirect/?(.*) https://$1 break};

@elsesiy

This comment has been minimized.

Copy link
Author

elsesiy commented Apr 2, 2019

@JoelSpeed @okgolove OK, I can create a PR. Shall I just add to the README or create a dedicated directory for guides & how-tos?

@elsesiy

This comment has been minimized.

Copy link
Author

elsesiy commented Apr 7, 2019

Until @JoelSpeed decides where to contribute, I published a blog post for now.

@samvdb

This comment has been minimized.

Copy link

samvdb commented Apr 15, 2019

@JoelSpeed comment should work for most people. setting cookie-domain does the trick.
One other thing that might be needed (like in my use-case) is the whitelist-domain setting.

eg : whitelist-domain: .example.com

This fixes the invalid redirects after the first login.
example without whitelist-domain:

scenario 1: go to app.example.com without cookies => you will need to login
after login you will be redirected to auth.example.com/callback (or whatever your proxy domain is)
You will get a 404 here.

scenario 2: go to app.example.com with cookies ( you already logged in before )
everything works...

Hi @elsesiy, I've had a look through your config and have two suggestions that might help,

First off, make sure to set your cookie domain, it should be the parent domain off all subdomains you are protecting and I think it needs to include the OAuth2_Proxy as well, are your Authentication and protected service on the same parent domain? (eg foo.bar.example.com and baz.example.com share example.com as a parent so the cookie-domain=.example.com to allow the cookie to be read by them all)

Secondly, in your redirect, try adding the scheme to the beginning of the request, if you are https only then rd=https://$host$request_uri should suffice, else you can try rd=$scheme://$host$request_uri for mixed http/https (I haven't tested the latter btw)

Let me know how you get on!

@beebird

This comment has been minimized.

Copy link

beebird commented Apr 15, 2019

I added whitelist-domain parameter and everything works as expected!!! I'm so happy:)

@agolomoodysaada

This comment has been minimized.

Copy link

agolomoodysaada commented Apr 16, 2019

The suggested solution https://oauth.mywebsite.com/oauth2/start?rd=$scheme://$host$request_uri almost worked for me. The $host resolved to my oauth host instead of the original target host. To make nginx-ingress redirect correctly, I had to use the forwarded host using the $best_http_host variable. For example: rd=$scheme://$best_http_host$request_uri.
The $scheme worked like a charm!

@okgolove

This comment has been minimized.

Copy link

okgolove commented Apr 16, 2019

Did someone try this scheme with Keycloak?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.