MS Azure OAuth2 proxy - Token based authentication not oauth_proxy cookie
I finally made it work using the following configuration:
deployment.yaml for OAuth2 proxy:
kind: DeploymentapiVersion: apps/v1metadata: name: oauth2-proxy namespace: defaultspec: replicas: 1 selector: matchLabels: app: oauth2-proxy template: metadata: creationTimestamp: null labels: app: oauth2-proxy spec: containers: - name: oauth2-proxy image: 'bitnami/oauth2-proxy:latest' args: - '--provider=azure' - '--azure-tenant=TENANT_ID' - '--skip-jwt-bearer-tokens=true' - >- --oidc-issuer-url=https://sts.windows.net/TENANT_ID/ - >- --extra-jwt-issuers=https://login.microsoftonline.com/TENANT_ID/v2.0=CLIENT_ID - '--request-logging=true' - '--auth-logging=true' - '--standard-logging=true' ports: - containerPort: 4180 protocol: TCP env: - name: OAUTH2_PROXY_AZURE_TENANT value: TENANT_ID - name: OAUTH2_PROXY_CLIENT_ID value: CLIENT_ID - name: OAUTH2_PROXY_CLIENT_SECRET value: CLIENT_SECRET - name: OAUTH2_PROXY_COOKIE_SECRET value: COOKIE_SECRET - name: OAUTH2_PROXY_HTTP_ADDRESS value: '0.0.0.0:4180' - name: OAUTH2_PROXY_UPSTREAM value: 'http://your-host' - name: OAUTH2_PROXY_EMAIL_DOMAINS value: '*'
ingress.yaml for OAuth2 proxy:
kind: IngressapiVersion: networking.k8s.io/v1beta1metadata: name: oauth2-proxy namespace: default labels: app: oauth2-proxy annotations: kubernetes.io/ingress.class: addon-http-application-routing # in my case the generated cookie was too big so I had to add the below parameters nginx.ingress.kubernetes.io/proxy-buffer-size: 8k nginx.ingress.kubernetes.io/proxy-buffers-number: '4'spec: tls: - hosts: - YOUR_HOST rules: - host: YOUR_HOST http: paths: - path: /oauth2 backend: serviceName: oauth2-proxy servicePort: 4180
In addition to those configuration files, I also had to change the value for accessTokenAcceptedVersion in the Azure application registration manifest. By default this value is setup to null which means it will go for V1 tokens instead of V2 as specified in the extra-jwt-issuers argument.
"accessTokenAcceptedVersion": 2
After those changes were in place, I was able to use the generated token through Azure token endpoint in order to go through the OAuth2 proxy and reach my application exposed APIs:
HTTP POST to https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/tokenContent-Type: application/x-www-form-urlencodedBody: - client_id: YOUR_CLIENT_ID - grant_type: client_credentials - client_secret: YOUR_CLIENT_SECRET - scope: api://YOUR_CLIENT_ID/.default - this was generated by me, but it should work with MS Graph as well
I am using a Kubernetes deployment model inside Azure, having an OAuth2 proxy which is protecting the cluster resources by enabling SSO login.I have the Oauth service running successfully, I also have the application ingress and the oauth ingress deployed. But when I access the application URL, I got 500 Internal error. If I access the Oauth ingress url,I got the login window. I can provide the details on the oauth deployment yaml and the application ingress and oauth ingress yaml.