skip to Main Content

I’m facing an issue with oauth2 proxy and Ingress Nginx (with the latest versions) in a Kubernetes cluster where the X-Auth-Request headers are not being passed through to the client during the standard oauth authentication flow. I’m specifically using Azure as the auth provider.

Here’s the relevant portion of my oauth Proxy configuration:

pass_access_token = true
pass_authorization_header = true
pass_user_headers = true
set_xauthrequest = true

When I explicitly call /oauth2/auth, I get the headers as expected. However, during the standard OAuth2 auth flow, none of the headers are returned with any request.

This situation is somewhat similar to another question here: Oauth2-Proxy do not pass X-Auth-Request-Groups header, but in my case, I’m not receiving any of the X-Auth-Request headers, except when I call /oauth2/auth directly.

I’ve also tried adding the following snippet to my application Ingress configuration with no luck:

nginx.ingress.kubernetes.io/configuration-snippet: |
    auth_request_set $email $upstream_http_x_auth_request_email;
    access_by_lua_block {
      if ngx.var.email ~= "" then
        ngx.req.set_header("X-Auth-Request-Email", ngx.var.email)
      end
    }

I’ve gone through multiple configurations, read numerous blog posts, and scoured GitHub issues, but haven’t been able to resolve this issue. Does anyone have any insights into what could be causing this behavior?

2

Answers


  1. Chosen as BEST ANSWER

    This way will work

    nginx.ingress.kubernetes.io/configuration-snippet: |
          auth_request_set $email $upstream_http_x_auth_request_email;
          
          add_header X-Auth-Request-Email $email;
    

    The only downside is that it will add the header to all the http requests, even for css/js files


  2. You do have a Kubernetes Ingress resource that manages external access to the services in your cluster. That is typically defined in a YAML file and applied to your Kubernetes cluster using kubectl apply -f <filename.yaml>.

    Something like (mentioned for other readers):

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: my-ingress
      annotations:
        # annotations go here
    spec:
      rules:
      - host: myapp.mydomain.com
        http:
          paths:
          - backend:
              service:
                name: my-service
                port:
                  number: 80
    

    In the annotations section, you can specify various settings that the Nginx Ingress Controller should apply. I would suggest, from the kubernetes/ingress-nginx annotations External Authentication:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: my-ingress
      annotations:
        nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
        nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
        nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-groups, x-auth-request-email"
    spec:
      rules:
      - host: myapp.mydomain.com
        http:
          paths:
          - backend:
              service:
                name: my-service
                port:
                  number: 80
    

    (And kubectl apply -f <your-ingress-config>.yaml)

    That would explicitly tell the Ingress to pick these headers from the authentication response and pass them to the upstream application.

    Doing this updates the Ingress resource in your Kubernetes cluster and subsequently should update the Nginx Ingress Controller’s configuration. After applying, give it some time to propagate, and then you can check if the X-Auth-Request headers are being passed as you expect.

    If not, and if nothing is obvious in kubectl logs <nginx-ingress-pod> output, check the OAuth2 Proxy logs (kubectl logs <oauth2-proxy-pod>) to see if the headers are generated as expected (because if there are not… no amount of Lua script would change the end result).

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search