MS Azure OAuth2 proxy - Token based authentication not oauth_proxy cookie MS Azure OAuth2 proxy - Token based authentication not oauth_proxy cookie kubernetes kubernetes

MS Azure OAuth2 proxy - Token based authentication not oauth_proxy cookie


I finally made it work using the following configuration:

deployment.yaml for OAuth2 proxy:

kind: DeploymentapiVersion: apps/v1metadata:  name: oauth2-proxy  namespace: defaultspec:  replicas: 1  selector:    matchLabels:      app: oauth2-proxy  template:    metadata:      creationTimestamp: null      labels:        app: oauth2-proxy    spec:      containers:        - name: oauth2-proxy          image: 'bitnami/oauth2-proxy:latest'          args:            - '--provider=azure'            - '--azure-tenant=TENANT_ID'            - '--skip-jwt-bearer-tokens=true'            - >-              --oidc-issuer-url=https://sts.windows.net/TENANT_ID/            - >-              --extra-jwt-issuers=https://login.microsoftonline.com/TENANT_ID/v2.0=CLIENT_ID            - '--request-logging=true'            - '--auth-logging=true'            - '--standard-logging=true'          ports:            - containerPort: 4180              protocol: TCP          env:            - name: OAUTH2_PROXY_AZURE_TENANT              value: TENANT_ID            - name: OAUTH2_PROXY_CLIENT_ID              value: CLIENT_ID            - name: OAUTH2_PROXY_CLIENT_SECRET              value: CLIENT_SECRET            - name: OAUTH2_PROXY_COOKIE_SECRET              value: COOKIE_SECRET            - name: OAUTH2_PROXY_HTTP_ADDRESS              value: '0.0.0.0:4180'            - name: OAUTH2_PROXY_UPSTREAM              value: 'http://your-host'            - name: OAUTH2_PROXY_EMAIL_DOMAINS              value: '*'

ingress.yaml for OAuth2 proxy:

kind: IngressapiVersion: networking.k8s.io/v1beta1metadata:  name: oauth2-proxy  namespace: default  labels:    app: oauth2-proxy  annotations:    kubernetes.io/ingress.class: addon-http-application-routing    # in my case the generated cookie was too big so I had to add the below parameters    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k    nginx.ingress.kubernetes.io/proxy-buffers-number: '4'spec:  tls:    - hosts:        - YOUR_HOST  rules:    - host: YOUR_HOST      http:        paths:          - path: /oauth2            backend:              serviceName: oauth2-proxy              servicePort: 4180

In addition to those configuration files, I also had to change the value for accessTokenAcceptedVersion in the Azure application registration manifest. By default this value is setup to null which means it will go for V1 tokens instead of V2 as specified in the extra-jwt-issuers argument.

"accessTokenAcceptedVersion": 2

After those changes were in place, I was able to use the generated token through Azure token endpoint in order to go through the OAuth2 proxy and reach my application exposed APIs:

HTTP POST to https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/tokenContent-Type: application/x-www-form-urlencodedBody:  - client_id: YOUR_CLIENT_ID  - grant_type: client_credentials  - client_secret: YOUR_CLIENT_SECRET  - scope: api://YOUR_CLIENT_ID/.default - this was generated by me, but it should work with MS Graph as well


I am using a Kubernetes deployment model inside Azure, having an OAuth2 proxy which is protecting the cluster resources by enabling SSO login.I have the Oauth service running successfully, I also have the application ingress and the oauth ingress deployed. But when I access the application URL, I got 500 Internal error. If I access the Oauth ingress url,I got the login window. I can provide the details on the oauth deployment yaml and the application ingress and oauth ingress yaml.