How to authenticate against AAD (Azure Active Directory) with oauth2_proxy and obtain Access Token
Here is some input on subject o authentication against Azure Active Directory (AAD) using oauth2_proxy with kubernetes.
First you need to create an application in AAD and add it email
, profile
and User.Read
permissions to Microsoft Graph.
The default behavior of authentication flow, is that after login against Microsoft authentication server, you will be redirected to root of website with authentication code (e.g. https://exampler.com/
). You would expect the Access Token to be visible there -this is a faulty assumption. The url that Access Token is injected into is https://exampler.com/oauth2
!!!
Successful configuration of oauth2_proxt that worked is below.
oauth2-proxy.yaml
apiVersion: apps/v1kind: Deploymentmetadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: oa2pspec: replicas: 1 selector: matchLabels: k8s-app: oauth2-proxy template: metadata: labels: k8s-app: oauth2-proxy spec: containers: - args: - --provider=oidc - --azure-tenant=88888888-aaaa-bbbb-cccc-121212121212 - --email-domain=example.com - --http-address=0.0.0.0:4180 - --set-authorization-header=true - --set-xauthrequest=true - --pass-access-token=true - --pass-authorization-header=true - --pass-user-headers=true - --pass-host-header=true - --skip-jwt-bearer-tokens=true - --oidc-issuer-url=https://login.microsoftonline.com/88888888-aaaa-bbbb-cccc-121212121212/v2.0 env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: oauth2-proxy-secret key: OAUTH2_PROXY_CLIENT_ID - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-secret key: OAUTH2_PROXY_CLIENT_SECRET - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-secret key: OAUTH2_PROXY_COOKIE_SECRET image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3 imagePullPolicy: Always name: oauth2-proxy ports: - containerPort: 4180 protocol: TCP---apiVersion: v1kind: Servicemetadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: oa2pspec: ports: - name: http port: 4180 protocol: TCP targetPort: 4180 selector: k8s-app: oauth2-proxy
ingress.yaml
apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: oa2p namespace: oa2p annotations: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/limit-rps: "1" nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Email,X-Auth-Request-Preferred-Username"spec: tls: - hosts: - oa2p.example.com secretName: oa2p-tls rules: - host: oa2p.example.com http: paths: - path: / pathType: Prefix backend: service: name: oa2p port: number: 8080---apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: oa2p-proxy namespace: oa2p annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/limit-rps: "1" nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"spec: tls: - hosts: - oa2p.example.com secretName: oa2p-tls rules: - host: oa2p.example.com http: paths: - path: /oauth2 pathType: Prefix backend: service: name: oauth2-proxy port: number: 4180