I’m facing an issue with oauth2 proxy and Ingress Nginx (with the latest versions) in a Kubernetes cluster where the X-Auth-Request
headers are not being passed through to the client during the standard oauth authentication flow. I’m specifically using Azure as the auth provider.
Here’s the relevant portion of my oauth Proxy configuration:
pass_access_token = true
pass_authorization_header = true
pass_user_headers = true
set_xauthrequest = true
When I explicitly call /oauth2/auth
, I get the headers as expected. However, during the standard OAuth2 auth flow, none of the headers are returned with any request.
This situation is somewhat similar to another question here: Oauth2-Proxy do not pass X-Auth-Request-Groups header, but in my case, I’m not receiving any of the X-Auth-Request
headers, except when I call /oauth2/auth
directly.
I’ve also tried adding the following snippet to my application Ingress configuration with no luck:
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $email $upstream_http_x_auth_request_email;
access_by_lua_block {
if ngx.var.email ~= "" then
ngx.req.set_header("X-Auth-Request-Email", ngx.var.email)
end
}
I’ve gone through multiple configurations, read numerous blog posts, and scoured GitHub issues, but haven’t been able to resolve this issue. Does anyone have any insights into what could be causing this behavior?
2
Answers
This way will work
The only downside is that it will add the header to all the http requests, even for css/js files
You do have a Kubernetes Ingress resource that manages external access to the services in your cluster. That is typically defined in a YAML file and applied to your Kubernetes cluster using
kubectl apply -f <filename.yaml>
.Something like (mentioned for other readers):
In the
annotations
section, you can specify various settings that the Nginx Ingress Controller should apply. I would suggest, from the kubernetes/ingress-nginx annotations External Authentication:(And
kubectl apply -f <your-ingress-config>.yaml
)That would explicitly tell the Ingress to pick these headers from the authentication response and pass them to the upstream application.
Doing this updates the Ingress resource in your Kubernetes cluster and subsequently should update the Nginx Ingress Controller’s configuration. After applying, give it some time to propagate, and then you can check if the
X-Auth-Request
headers are being passed as you expect.If not, and if nothing is obvious in
kubectl logs <nginx-ingress-pod>
output, check the OAuth2 Proxy logs (kubectl logs <oauth2-proxy-pod>
) to see if the headers are generated as expected (because if there are not… no amount of Lua script would change the end result).