oauth2-proxy | reverse proxy that provides authentication | OAuth library
kandi X-RAY | oauth2-proxy Summary
kandi X-RAY | oauth2-proxy Summary
A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. Note: This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG. Note: This project was formerly hosted as pusher/oauth2_proxy but has been renamed as of 29/03/2020 to oauth2-proxy/oauth2-proxy. Going forward, all images shall be available at quay.io/oauth2-proxy/oauth2-proxy and binaries will be named oauth2-proxy.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of oauth2-proxy
oauth2-proxy Key Features
oauth2-proxy Examples and Code Snippets
Community Discussions
Trending Discussions on oauth2-proxy
QUESTION
I am trying to add authentication to my cluster by using an oauth2-proxy. Locally I tested and is working as expected: When I go to the landing page it redirects me to an IP such as GitHub. After login, I am redirected to my page and everything is working as expected. For some odd reason, when porting from local to the cluster living in the google cloud, I am not getting redirect to GitHub for authentication. I have two ingresses, one for the oauth2-proxy (ingress-oauth2-proxy) and another for all of the apps (ingress-apps). I added the Nginx annotations and still nothing.
Here are the Ingress YAML file used for the creation of the ingress rules
...ANSWER
Answered 2021-May-19 at 15:12Ok, I figured it out: The problem was the Ingress controller used. I installed the Nginx controller from the repo helm.nginx.com/stable which is nginxinc and does not support the annotations. Therefore they were being ignored. To fix it I just used the kubernetes.github.io/ingress-nginx/deploy/#gce-gke. This is better explained here Nginx ingress controller authentication not working
Cheers ! :)
QUESTION
So here is the deal. I am using Kubernetes and I want to protect the applications inside of the cluster. Therefore I added an oauth2-proxy and, in case the user is not logged in, it is redirected to GitHub. After the login is done, the user is redirected to the app (Login Diagram). For now, I have two dummy deployments of an echo-http server (echo1 and echo2) and Jenkins. I am doing everything locally with minikube, so please don't mind the domain names.
In Jenkins, I installed the Github OAuth plugin and configured it as said in the multiple posts I found (e.g., Jenkins GitHub OAuth). Also created the GitHub OAuth application and set the callback. Since I want to have SSO for multiple applications besides Jenkins, I set the call back to https://auth.int.example.com/oauth2/callback instead of https://jenkins.int.example.com/securityRealm/finishLogin. Therefore, after login on the GitHub, I get redirected to the Jenkins webpage but as a guest. If I try to log in, I end up in an error. I used Helm to setup the oauth2-proxy (k8s-at-home/oauth2-proxy)
Am I missing something?
These are the ingress configuration of the oauth2-proxy and ingress controller that I am using.
Nginx Ingress
...ANSWER
Answered 2021-May-05 at 09:19Nice auth architecture you are building there!
I would say that you may have have overlooked the fact that Jenkins has its own authentication. You also need to configure Jenkins itself to allow Oauth2 access via Github.
So what is really going on? Your Oauth proxy solution is great. You can build apps in your k8s cluster, without having to worry about user management or authentication directly from your app. However, this is useful only for apps that don't have their own authentication mechanisms. The Oauth proxy is simply protecting the access to the backend webserver. Once you are allowed by the proxy, you interact directly with the app, so if the app requires authentication, so will you as end user.
My advice would be to use the Oauth proxy for apps that don't have user management mechanisms, and leave open access to apps that have authentication mechanisms, like Jenkins. Otherwise you could end up with double authentication (proxy and Jenkins in this case), which is not so great.
Then, to keep the high level concept of accessing your cluster with Github accounts, you need to configure those user-based apps to also make use of Github Oauth2. This way the access to the cluster is homogeneus (you just need your Github account), but the actual integration has two different types: apps that don't require user management (they are protected by the Oauth proxy), and apps with authentication, which are then configured with Github's Oauth2 independently.
QUESTION
following the previous question on Stack Overflow at this link, after successful authentication (at Github.com) i get 404 page not found on my browser.
The Ingress configuration below (used by nginx-ingress controller):
...ANSWER
Answered 2020-Nov-12 at 12:35According to oauth-proxy documentation you MUST use kubernetes/ingress-nginx.
Here you can read more about differences between nginxinc/kubernetes-ingress and kubernetes/ingress-nginx Ingress Controllers.
In oath2-proxy docs (mentioned earlier) you can find the following:
When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.
QUESTION
I am trying to use Keycloak with Oauth2 to secure kubernetes-dashboard. I found several post about this error, but none was specific for my problem. maybe i just miss a simple step ..
so far i followed this guide: https://jamesveitch.com/homelab/02.idam/02.keycloak/
Keycloak is installed at the kubernetes cluster within the namespace keycloak. Kubernetes-dashboard is installed within the namespace kubernetes-dashboard.
Keycloak is reachable under auth.mydomain.com and the dashboard should be reachbale under dashboard.mydomain.com.
I have created a user "test" and assigned a group kubernetes-admin which i would use to grant access to the dashboard.
I configured Keycloak like this:
- Created a new realm "dev"
- Created a User test and a group kubernetes-admin
- Created a new client "dashboard"
- Access Type: confidential
- Service Account enabled: on
- Valid Redirect Url: https://dashboard.mydomain.com/oauth/callback
- Created a Mapper for groups (Type: Group Membership, TokenClaimName:groups)
For Clusterbinding of kubernetes-admin i use this yaml:
...ANSWER
Answered 2020-Nov-03 at 13:37I just found out how to handle this error:
First, we need to change the URL within keycloak to https://dashboard.mydomain.com/*
Under the dashboard - Mapper - groups deactivate the full group path .. This removes the leading slash of groups within your token ( you can check at Client Sope - Evaluate) This is needed for the oauth2 parameter --keycloak-group=kubernetes-admin
Create a Client Scope "Users" under the dev realm - at Client Scopes with default values
Now change to the second Tab "Default Client Scope" under Client Scopes and assign "Users" as Default Client Scope
Add this Client Scope "Users" under Client -> Dashboard - Client Scope
Add the -scope parameter to the oauth2 development : --scope=users
The upstream is correct assigend in above sample to access the dashboard directly within the cluste. So no change needed there.
After this you should be able to open the dashboard without errors. But i still have a problem that the bearer token is sent, but currently not used to login automatically.. you still have to paste your token.. So i still investigate to get this work..
QUESTION
Calling an URL which is proxied by the oauth2 proxy. The oauth2 proxy should perform an authorization code flow in case no authentication is available. In case there is already an authentication available, the access token should be set to the Authorization Header in the request which is forwarded to the upstream.
What I triedAccording to the documentation I'd expect that, when setting --pass-authorization-header
the token which is requested should be added to the authorization header.
I also experimented with --pass-access-token
which should set an X-Forwarded-Access-Token header.
I couldn't see this header at my service either.
Could someone explain to me what I'm doing wrong?
...ANSWER
Answered 2020-Oct-30 at 14:38I found the solution.
This post on a github issue lead me to my mistake.
I did misunderstand what the request is and what the response is and how to handle them using nginx ingresses.
If you are using OAuth2-Proxy with a Kubernetes ingress using nginx subrequests (https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) the data that comes back to nginx is actually an HTTP response, so you will need to use HTTP Response headers (the --pass-* options configure request headers to the upstream). Try --set-authorization-header and then you need to use this annotation to have the Kubernetes take the subrequest response header and add it to the proxied request header: nginx.ingress.kubernetes.io/auth-response-headers https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication
QUESTION
I am trying to convert docker-compose.yaml Keycloak to Char values, I'm stuck with this a bit:
Docker-compose config looks like this:
...ANSWER
Answered 2020-Aug-29 at 15:43You can use kompose tool to directly convert docker compose to kubernetes files. If you want to make a helm chart just replace with templates and provide values in chart values. Also Kubernetes deployment has command field in yaml.
as you can see in github.com/codecentric/helm-charts/blob/master/charts/keycloak/… command is set by .Values.command
So in file github.com/codecentric/helm-charts/blob/master/charts/keycloak/… replace command : [] with your docker-compose command.
QUESTION
I have installed helm
on a GKE Cluster
. Installation is fine
ANSWER
Answered 2020-Jul-08 at 17:02Use helm hub to search for any chart such as nginx and you can use the command given there to install the chart. Please note
Not all charts are available in
stable
repoYou need to update local helm repo to be able to install the chart.
helm repo update
helm install stable/nginx-ingress
QUESTION
I am running an app in a kubernetes service on Azure and have had it set up with an NGINX ingress controller and a public IP address with a FQDN. This was all working fine.
I then wanted to add security through using the oauth2-proxy for third party sign-in. I would like to keep my setup to one ingress-controller and one oauth2_proxy per namespace, with multiple apps running together. As Azure does not support the use of sub-domains for this I have been using paths to route to the correct app. I've seen examples, like this, on how to use one oauth2_proxy for multiple sub-domains but is it possible to get it working with multiple paths instead?
Setup
This is the current working setup with only one app, located on root /
. I would like to switch to an app specific path and the ability to run multiple apps on different paths. eg. /my-app
, /another-app
etc.
oauth2-proxy-config.yaml
...ANSWER
Answered 2020-Apr-05 at 21:44Sure, it's doable with multiple ingress paths inside single Ingress resource definition, please check this working example:
QUESTION
I am attempting to protect a service's status page with an oauth2_proxy, using Azure AD as the external auth provider. Currently if I browse to the public url of the app (https://sub.domain.com/service/hangfire) I got a 504 gateway timeout, where it should be directing me to authenticate.
I had been mostly following this guide for reference: https://msazure.club/protect-kubernetes-webapps-with-azure-active-directory-aad-authentication/
If I disable the annotations that direct the authentication, I can get to the public status page without a problem. If I browse to https://sub.domain.com/oauth2, I get a prompt to authenticate with my provider, which I would expect. I am not sure where the issue lies in the ingress config but I was unable to find any similar cases to this online, stackoverflow or otherwise.
In this case, everything (oauth deployment, service, and ingress rules) lives in a 'dev' namespace except the actual ingress deployment, which lives in its own namespace. I don't suspect this makes a difference, but SSL termination is handled by a gateway outside the cluster.
oauth2 deployment:
...ANSWER
Answered 2019-May-22 at 13:38This is what I've been doing with my oAuth proxy for Azure AD:
QUESTION
I want to use Azure Active Directory as an external oauth2 provider to protect my services on the ingress level. In the past, I used basic ouath and everything worked like expected. But nginx provides the extern ouath methode which sounds much more confortable!
For that I created an SP:
...ANSWER
Answered 2020-Jan-16 at 15:48So you need another ingress for the oAuth deployment as well. here's how my setup looks like:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install oauth2-proxy
Choose how to deploy: a. Download Prebuilt Binary (current release is v7.2.1) b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy/v7 which will put the binary in $GOROOT/bin c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, PPC64LE, ARMv6 and ARM64 tags available)
Select a Provider and Register an OAuth Application with a Provider
Configure OAuth2 Proxy using config file, command line options, or environment variables
Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page