How to authenticate against AAD (Azure Active Directory) with oauth2_proxy and obtain Access Token

Here is some input on subject o authentication against Azure Active Directory (AAD) using oauth2_proxy with kubernetes.

First you need to create an application in AAD and add it email, profile and User.Read permissions to Microsoft Graph.

The default behavior of authentication flow, is that after login against Microsoft authentication server, you will be redirected to root of website with authentication code (e.g. https://exampler.com/). You would expect the Access Token to be visible there -this is a faulty assumption. The url that Access Token is injected into is https://exampler.com/oauth2 !!!

Successful configuration of oauth2_proxt that worked is below.

oauth2-proxy.yaml

apiVersion: apps/v1kind: Deploymentmetadata:  labels:    k8s-app: oauth2-proxy  name: oauth2-proxy  namespace: oa2pspec:  replicas: 1  selector:    matchLabels:      k8s-app: oauth2-proxy  template:    metadata:      labels:        k8s-app: oauth2-proxy    spec:      containers:      - args:        - --provider=oidc        - --azure-tenant=88888888-aaaa-bbbb-cccc-121212121212        - --email-domain=example.com        - --http-address=0.0.0.0:4180        - --set-authorization-header=true        - --set-xauthrequest=true        - --pass-access-token=true        - --pass-authorization-header=true        - --pass-user-headers=true        - --pass-host-header=true        - --skip-jwt-bearer-tokens=true        - --oidc-issuer-url=https://login.microsoftonline.com/88888888-aaaa-bbbb-cccc-121212121212/v2.0        env:        - name: OAUTH2_PROXY_CLIENT_ID          valueFrom:            secretKeyRef:              name: oauth2-proxy-secret              key: OAUTH2_PROXY_CLIENT_ID        - name: OAUTH2_PROXY_CLIENT_SECRET          valueFrom:            secretKeyRef:              name: oauth2-proxy-secret              key: OAUTH2_PROXY_CLIENT_SECRET        - name: OAUTH2_PROXY_COOKIE_SECRET          valueFrom:            secretKeyRef:              name: oauth2-proxy-secret              key: OAUTH2_PROXY_COOKIE_SECRET        image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3        imagePullPolicy: Always        name: oauth2-proxy        ports:        - containerPort: 4180          protocol: TCP---apiVersion: v1kind: Servicemetadata:  labels:    k8s-app: oauth2-proxy  name: oauth2-proxy  namespace: oa2pspec:  ports:  - name: http    port: 4180    protocol: TCP    targetPort: 4180  selector:    k8s-app: oauth2-proxy

ingress.yaml

apiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: oa2p  namespace: oa2p  annotations:  annotations:    kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"    nginx.ingress.kubernetes.io/ssl-redirect: "true"    nginx.ingress.kubernetes.io/limit-rps: "1"    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"    nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Email,X-Auth-Request-Preferred-Username"spec:  tls:  - hosts:    - oa2p.example.com    secretName: oa2p-tls  rules:    - host: oa2p.example.com      http:        paths:          - path: /            pathType: Prefix            backend:              service:                name: oa2p                port:                  number: 8080---apiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: oa2p-proxy  namespace: oa2p  annotations:    kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/limit-rps: "1"    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"spec:  tls:  - hosts:    - oa2p.example.com    secretName: oa2p-tls  rules:    - host: oa2p.example.com      http:        paths:          - path: /oauth2            pathType: Prefix            backend:              service:                name: oauth2-proxy                port:                  number: 4180