Keycloak, oauth2-proxy and nginx.ingress.kubernetes

Breed
March 16, 2021
89 views
0 votes
2 Answers

I have a problem with authentication kubernetes webapp via oauth2-proxy/keycloak. You don’t know what’s wrong

Webapp (test-app.domain.com)
oauth2-proxy (oauth2-proxy.domain.com)
keycloak (keycloak-test.domain.com)

Those three app runs separately.

description of the authentication procedure:

After open test.domain.com is redirected to https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8s2&redirect_uri=https%3A%2F%2Foauth2-proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F

Keycloak login page is displayed correctly but after user login I get: 500 Internal Server Error with URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af17-43fc-9f52-856e06bfce04

LOG from oauth2-proxy

[2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token ([email protected]) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030

test-app ingress

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: test-app
  namespace: its
spec:
  rules:
    - host: test-app.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test-app
              servicePort: http

  tls:
    - hosts:
      - test-app.domain.com
      secretName: cert-wild.test-proxy.domain.com

oauth2-proxy config and ingress

 containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        ports:
        - containerPort: 8091
        args:
        - --provider=oidc
        - --client-id=k8s2
        - --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
        - --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
        - --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
        - --email-domain=*
        - --scope=openid profile email users
        - --cookie-domain=.domain.com
        - --whitelist-domain=.domain.com
        - --pass-authorization-header=true
        - --pass-access-token=true
        - --pass-user-headers=true
        - --set-authorization-header=true
        - --set-xauthrequest=true
        - --cookie-refresh=1m
        - --cookie-expire=30m
        - --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  labels:
    name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 8091
    targetPort: 8091
  selector:
    name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: oauth2-proxy
  namespace: its
spec:
  rules:
    - host: oauth2-proxy.domain.com
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 8091
  tls:
    - hosts:
      - oauth2-proxy.domain.com
      secretName: cert-wild.oauth2-proxy.domain.com

Answers

- user16472241
- July 18, 2021 at 5:10 am
- 0 votes
0
You can try setting –insecure-oidc-allow-unverified-email in your oauth2-proxy configuration.
Alternatively, in keycloak, mark user email verified in user settings..

Login or Signup to reply.

- Anand
- September 19, 2022 at 12:49 pm
- 0 votes
0
The answer is simple delete the user in keycloak and recrate same user now this time check email is verified toggle to true

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.