Code Monkey home page Code Monkey logo

Comments (13)

JoelSpeed avatar JoelSpeed commented on June 12, 2024 5

Hi @loispostula,

Just a couple of thoughts on this. Does the error persist when you have --pass-authorization-header=false? What happens in this case?

Have you also tried --cookie-secure=true? I notice your redirect URL is on HTTPS so the cookie should be set to HTTPS also

from oauth2-proxy.

infinitydon avatar infinitydon commented on June 12, 2024 4

@JoelSpeed - No matter the combination of settings that I do, I keep on getting " Error loading cookied session: Cookie "_oauth2_proxy" not present" persistently with 401 in Nginx ingress logs.

Configuration currently been used:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"   
  name: pages-test-ingress
spec:
  rules:
  - host: xxx-test.infra.xxx.eu
    http:
      paths:
      - backend:
          serviceName: nginx-pages
          servicePort: 80
        path: /
  tls:
  - hosts:
    - xxx-test.infra.xxx.eu
    secretName: pages-test-tls

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  annotations:
    kubernetes.io/ingress.class: nginx  
spec:
  rules:
  - host: xxx-test.infra.xxx.eu
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 4180
        path: /oauth2
  tls:
  - hosts:
    - xxx-test.infra.xxx.eu
    secretName: pages-test-tls

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: oauth2-proxy
  template:
    metadata:
      labels:
        k8s-app: oauth2-proxy
    spec:
      containers:
      - args:
        - --provider=gitlab
        - --email-domain=*
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - -cookie-domain=.xxx-test.infra.xxx.eu
        - -whitelist-domain=.xxx-test.infra.xxx.eu
        # Register a new application
        env:
        - name: OAUTH2_PROXY_REDIRECT_URL
          value: https://xxx-test.infra.xxx.eu/oauth2/auth
        - name: OAUTH2_PROXY_OIDC_ISSUER_URL
          value: REDACTED  
       #- name: OAUTH2_PROXY_PASS_ACCESS_TOKEN
       #  value: "true"
        - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
          value: "true"
       #- name: OAUTH2_PROXY_SET_AUTHREQUEST
       #  value: "true"              
       #- name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
       #  value: "true"                                                    
        - name: OAUTH2_PROXY_CLIENT_ID
          value: REDACTED
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: REDACTED
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: REDACTED        
        image: quay.io/pusher/oauth2_proxy:latest
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP

from oauth2-proxy.

frco9 avatar frco9 commented on June 12, 2024 2

@ap1969 I had almost the same issue.
I'm using the oauth_proxy in a Kubernetes cluster, the issue was with the nginx-ingress-controller:

upstream sent too big header while reading response header from upstream,

I just had to increase the buffer size : https://andrewlock.net/fixing-nginx-upstream-sent-too-big-header-error-when-running-an-ingress-controller-in-kubernetes/

from oauth2-proxy.

ajcollett avatar ajcollett commented on June 12, 2024 1

Edit: My issue is that I was using http but never set the OAUTH2_PROXY_COOKIE_SECURE=false. After doing this it worked.

I have now deployed this properly and it's working!

--- Original

Same as @infinitydon above, there is NO cookie when redirected back to the OAuth2_proxy.
I checked in the logs and "inspected" in the browser.

I am working with a self hosted GitLab instance, which seems like that might be the case with @infinitydon too.

I see the below in the logs:

[AuthFailure] Invalid authentication via OAuth2: unable too obtain CSRF cookie

What does that mean?

from oauth2-proxy.

ap1969 avatar ap1969 commented on June 12, 2024

Hi,

I know this issue is old, but I'm seeing the same thing, so thought I'd:

A) Check if @loispostula got the issue resolved? And if so, can you share any details?

B) Provide some details for my own set up, where I'm trying pass the JWT from my OIDC provider to my upstream system.

I'm running oauth2_proxy on kubernetes, proxying requests to an Angular single-page app running in a different container based on the nginx:stable-alpine docker image.

I've tried a few setups, all of which correctly intercept the initial request, present the login page, redirect out to Auth0.com and return back to my URL. However:

WITHOUT AUTH HEADER, WITHOUT SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=false --cookie-secure false

This redirects to the upstream app, but there is no auth header. Cookie exists.

WITH AUTH HEADER, WITHOUT SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=true --cookie-secure false

This generates a 502 error. No cookie. Log entries are:

146.162.240.243 - - [02/May/2019:09:44:12 +0000] cp.dev.env.notifium.com GET - "/oauth2/callback?code=iQMzt5I1t75vxxx&state=xxxb97c24a6bcaf2136152131d1723%3A%2Fauth%2Flogin" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" 302 34 0.312
2019/05/02 09:44:13 oauthproxy.go:745: 167.99.86.85:35596 ("146.162.240.243") authentication complete Session{email:[email protected] user: token:true id_token:true expires:2019-05-03 09:44:12.936531323 +0000 UTC m=+86440.405422668}
2019/05/02 09:44:13 oauthproxy.go:796: 167.99.86.85:35640 ("146.162.240.243") Cookie "_oauth2_proxy_cp" not present

WITH AUTH HEADER, WITH SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=true --cookie-secure true

This generates a 502 error. No cookie. Log entries as above

WITHOUT AUTH HEADER, WITH SECURE COOKIE

--http-address=0.0.0.0:4180 --cookie-httponly=false --cookie-name=_oauth2_proxy_cp --email-domain=\* --oidc-issuer-url=https://xxx.auth0.com/ --provider=oidc --proxy-prefix=/oauth2 --upstream=http://controlpanel --config=/etc/oauth2_proxy/oauth2_proxy.cfg
--pass-authorization-header=false --cookie-secure true

This redirects to app, but no auth header. Cookie exists.

Between each test, I'm clearing all cookies, and the _csrf cookie is set when I am directed to the login page.

I've also tried all the above 4 cases with --set-authorization-header=true, and they all go to 502 page.

Any help would be REALLY appreciated!

Regards,
Andy

from oauth2-proxy.

JoelSpeed avatar JoelSpeed commented on June 12, 2024

Hi @ap1969, one thing I would recommend trying is to use the browser debug console to inspect the requests/responses from a login flow. One of the responses from the OAuth2 Proxy should have in it a set-cookie header. Check the domain that this is being set on, I suspect it is not the one you want!

You can set the cookie domain explicitly using the --cookie-domain flag 😀

from oauth2-proxy.

ap1969 avatar ap1969 commented on June 12, 2024

Hi Joel,
Thanks for getting back so quick.

I can see the set-cookie in the initial load when rendering the login page:

Set-Cookie: _oauth2_proxy_cp=; Path=/; Domain=cp.domain.com; Expires=Thu, 02 May 2019 10:37:16 GMT; Secure

Then on return to callback, there's an initial hit to /oauth2/callback, with a 308 redirect to what seems to the same URL, and that redirect has no set-cookie header.

Then the final /oauth2/callback request returns the 502 error, also with no set-cookie header.

Does that help?

Andy

from oauth2-proxy.

ap1969 avatar ap1969 commented on June 12, 2024

Hi Joel,
I've compiled a version of oauth2_proxy with some extra debugging lines in it, but I'm still stuck.

SaveSession() calls SetSessionCookie(), which is trying to write two cookies:

"_oauth2_proxy_0=eyJBY2Nlc3NUb2tlbiI6IjJIbVlsNG9tOVFWNGV0UzhkbjZMUDR2OUw3Q1hGTkpjaGZZSDFhRjllckV5UGcyNHNja0V3NWdwdzhnVlQzeUUiLCJJRFRva2VuIjoibG9aWlBnSFViU1NrTVJ3Wnd5dmcwK2h4UzA4SkJ2NEVYTEpzcnRXZTRUY01JdTF2SHlidW1JL0wyWlBreUR3THpHb2dpbExRaGFPWXZoWldETjlHSnpiOVh0dFByalJ1OFAxRDYyd2QwZ01XTlJPeU1YZkhMUkgzQVJYYzhEZDl2T1ptZUhxRzRONHRSRUNhSVVQRW9zU0p0QlFyallwbFNyTXdZNXR2VmZIRk9uTWJQYldEOGVYUGlBWGVLbm1OSk1oRFhSSkEzTTR2TnlxWlNCUTJmSlAwdnVjUTB4MmpxOUFnR1ZzT1lHMy9raW9XLzlFamQ0WmxQaWJMUEEyQVNkaHNmeFFOV1FnK1ZSN3VrWXBVempLU1FPOTJxSHhUMVBaTU5obzQzVWlqUUZWY01OYWx1bVpZYXBFVGNDRC9BdFc5dXp1Z294Q1B0QXBsTnBGK0V4Q3RQNTllU2N3YWVvRlZTaVlYTUxwTkdLTW51KzlyN1Flb2QxbGVGZUVnbDNHRUNXL3hWTVVNcGRVemVhQVpNWWN5TVNzT1ZORk56RlZWZFc2akQzM1kvTG1jUVpXVW5Rb0prRnhUaXFrUkVpZm8vR1V1RCsrTDd5TjdSRzFPY0tTUDhXbzI4dk1zd0NXdTMzY29sd3YveTdRL3JiUkNzL3hGR0RZSm1pN0lMOXZHdnI1aUl5RDRUclFReFRWa1NHdGpFK3dJekRrMzFsZHgvUUdHU1R0aXVxS1RyM2Q0N2dETXVHOTJoWUdTZisrMGQxZ28yRTVnS1RlZzFWb0NJcThld0svUDNIMlQvZWczbENwYVNNbitzQUJheWtVMEd2aHRrWmZXU20zRWhXTHN1WFd3c2k2V25zQUZDekt2RzNycWhZMTVkWFpyTWhoQ2N1OVVDVHRhY1cvWlZrMFQybXR4YmsyVFdkdzEvUmRCWEYxUWVnWkloWW1PTnVoZjdYdDk1dHE4NHBVYWM0SEZNK0lFWmJsN2l2NzZUYS9ORm9QTmwwYW8wSmttKzYxMDVranp1QnJMUnRjME9IZ3hZSXNHcmZtaHI3UHViU1EyU0VoVCsxanVsbGZwVFByUHNSaHNqallTQVhFYVlOT1RORnFZU1M3anBGakp6RFhrZ29tZ3o1cFlEbTlFY1RXcStlUlY3cUR2NGZUVEFYcVpXRWZpMHFOM3lmSUVMZGI3NlJFaWlrZ1Y4KzNzRWU1TU1wdEFlTWpiQXB0QXV0dXIzY1lZaDN6QzR3d3AwaGtxSUliUHpvQXZDRVNPTmNVTVBGMnZIY2grNnBRNUZVQU9EcHpTMndrNkFpMFUvbGx2Z004azNSa2prWWkwcmN1MkplMWhGZU5Oa1dzYU5OdDh2M0tzbXY5WUZFTjNxMUhoTXhZZWZUczBWOCtoWUpVZGdZalVhQnJHY20yT0xnTWZabXR5Q0RzRHhEb2RwYTRXM3l2SVBRcHNFYkR1cmgxMUoxZE5BejdXeWhtVGZTeENWNjVpL0hrRlViK0IzM0FNK0h6cHcwblF3cGtZTlVzVnFnZGliUEV2Vnp0ak5iZGpYMlF0WEhySzAyR2FyRzJBTDQwZEo2Ly8wK1FzbDlUMFF5T1pmRG9ZSDd5cjN5YlIxd1plbmFPT2ZFUG1pRjlCVXlhN2M2bnMvUmJ4bVhHTC9KbnJvdUZ3RmJyM2xIWVh5bnR3UDlBQU0rWStCaE5WTFJBRThSQzFuRDduSkZrM1lUckVBNHRLRFdYMElVM1FlRTZQdCtzWit6Q0k3aUNpcUNFYXlUNnJPbytUT1ZMcHNzYlZwaGpnY3BOeldk
MVhMZDJwTlE3L2lOd3I4Ky93MHdaMXZuc2U4Ykczd0R2Um1wWUZOVVJWZHphNkJxTVVRNXM1b1p5SndFYWpZdERhWEx5T09DN3ZLcThUTHNWSkE3Nk5mc1BnQmZjVEJyNk96NWVNbHp1VEo2eWxLK3FCQm9haEFpRFVMVHZsUkxKcnNUMDhSWm5EdElzSzVGVE90YXlLWHRvSWg2dzYyUVJZMkdkOEFKbDdPT01Gek9PcEl1bVdMc0JqbDVBWElzU1JuMDEyc00yRGpQeWVHYkM2OGNYUmtTR0UxS2xFMUlWb3Q4ajhDUUdOaVlpM0pBUWxGQ0FtNnZ0dUhpM2JXaUVMbk8yc08xSXhjRS9lVzlPS3MyY29odngzczdHbU04dHdMb21MZDh1ZDYrWjUvYklta09oQkN3cllTdFAyanNoVklpVnRMaHdhYzlrU241UmdUMmFDUks4RnZIaUsrWjRianlRZTBwUkVLQmNOaGxxdHQ2bktSVmlWMHE1R0lCSjFKOUtqelJZN1Y1Um9GcCsvN2RDdXh3VVhzTzBzem0yQjFIL25TOEtjOGZuTHRnaEx0U0J5NStWemZqcWFEbDRRMjkwckxmM0V4K3pWWjJpaG01VnpBNkdDT3dLVnRSRVdpUmJNWHZYR2dUaytkUGtsdkM4NFkrdlZCVTBwbUhJVUd4SERGM0JnVDdoZXB4QTh5emR2NGFKY3Z1Q3A0aGJUUVpndTFXazlpZHFWNWZCcHU0OVZsOTE3QUdwMlRTcy9LMnJEQkhMRmtndDdwRnRrSW9JVnV6K0RFczc3azBIN0ZqUGRwc0NNNURLc1dRYVBXb3NaZjhzT29SdjJrYSszUnJ4c01qWklvenhBNFc0eGxXSG9zVElUYVB6QjZUaXhyendGQk8raElHTkdGaGVXeWtzUnBtNGdXSjltUWVqQ3YyTy8vbXZBSG5CbmYrRVEwS3krS2J6OEo2MzZCQXp1NjZMdHY3WmRZdm5iN2lEK0FlemgvUFRSTU1aUnIxZlpRMVZ5NDQvdW9PN1dSWU1QT05Xa3VPcWlFVnhYL0JKV0JrREYySTRvbGRoUGo5SkFzY2taSERoYXlUMXVRWU42QTFadTlCeVpQWVFpN3YweXI3WEpOcVJueHJ6b01VclZIZ3doeUxMWFhwMVFEdVlPMmlSaSt1d3B3MXVpZDBhcWlLNlYvV2hTdm41YWppS2I3dEliSU91NHJrMEpYSHRZZmNqMWJPdFZkc1YwZTZ5QnVrOU5hWEJDVytITHVzdWNCYVVScGlVS2ZpL3BqOXlLdHRiRGlsREIyZE52UjErbzFveVdWdm5kSDdGa0FsZTM4eS9XWm9RUVN2clI5TDVmdjRLb0dZcHRYaW9POWhHajN2SnZkTmZOd1pxQmNjcTRZZWt3dWpXZEQ4Z3hSZ0RMOVZnZFA0aGhIYzNWVTBvNGxheEZzMHdNazl4VDVFY0xVSEtDY3JDZHlPS3ZzanUvQ1dIWk5Ma0lrZWJjdnF6MElpQWhmWklYTENEM1ZKQlRuaGZEa3NlamFqTEdiWHBSa0l0eGFtUjIxTjBlMDNhem50Z1NVSHZ5ZGJoSnFJMldHQlVXTG1CNzNidXRPZGlPZDY1WXRkTTZrYnlWeERJUE53UmhKOGJLMnJOaFRxUEM4R2p4aTRRM1Q0MUtBa3RnSk9vMWFCZWF4QndiL3QzS1gra0J2WXZwN2FPTkZGd1AzUU9nd2ozTUNhMlFLWGxncTd4RGpLdkNZbjdPR1dicG1vQ1J6UDFBOEhNaWkxMFgvRVdIZ08vRno5Q2NuV2p1aHF1Ty9ub2tGenI1UzNaWkhuRjFZZ1ZXZHBZN1doK3dwd2Y5aTFLN2JWNWhFVVBnelF5a1hNb0d0SW15cThO; Path=/; Expires=Fri, 10 May 2019 13:58:52 GMT"

and

"_oauth2_proxy_1=cUxzaHAyYmp5Sm8yanVCSnhUODNSVllZMnBVdll0dGY1RStWRmFNTGd3eEtKM3RjclY3R0JNeXMyZ2xXdFBBQ1doNytmWGFSR1lrQUF6S09YU2tOYmRPTlBsMzdzK3VBcWpPSm5xby9SV1Y1Nm5KZUhSZFhYM04xODk5bDhLWWZtb2k3Mkt1RXNtUk8yN1Rua2p3a2t5eHJSTTRIS1FDTXFad2l4VTAzck8rYXYvU2hLb0UrWFk1dEcvRzlRbEpLckY2bjM0clg1ZjBqU1J1VzZ4eU9VeEkyeWhaN24yMzNaTjJBUU01NnFpVVB2MjAxR3ZwQzltY1hRd1ZjSVVlN1JHWjhqcmhManYzNGorOWErMlpYOHNMaTBycWhtRFl2amIvRFZHeGdsT0hwWG1NUnFBWWhSMFQ3cXpHcUtqRU9makRKaXZoK294dlU1ZXFMN0k5UmwvbE5taThsMWZpaFBncEhlNFhwOERnaWNMWlNMeFc5clBmaU1SL2M3WWJxazl0K2FmN3hTNXMxWE1aSW9uQ0lwWmFOR3JzaGt4VFRPa2VLWXRqWDlERExGRmxaaVNES2lOK0NDNWdGRFRzVmc5UkswSkduUGRxL2ZEbXJDY043VlE5VmRnb1h1MXdmRTlDbEtGM3JqVVdZWlU0Szd6bUpyaVFFOE5QTFBtRnhUS29xRUxma0NBUnlXeUJ2cnM3MkRxcTF0RWdVR0xmRkVZajduUFI1Z1pQK2ExNGgyNTJKWVZadWcwUjBBWE1aY0VEcE5GK0ZhZ25kZlpJRXFxaTVzQkFhTVpXVEd4R3U1L3c9PSIsIkVtYWlsIjoiU2tQQ1JucGpmQ3Q0UWhUbjBxdkpOdmg1VWNnQ2ZMZlFBNVBxaUNrUm1PUy9UeVhsK050WVZhczVKZz09IiwiRXhwaXJlc09uIjoiMjAxOS0wNS0wNFQxMzo1ODo1Mi45Mzg2MjEyMjRaIn0=|1556891932|98JRJQmNFB2iwPZ3Tqh_X7EojtA=; Path=/; Expires=Fri, 10 May 2019 13:58:52 GMT"

However, neither of those actually seem to be set in the browser, which is odd as the next line in SetSessionCookie is http.SetCookie(rw, c), which should work just fine as it's the core http module, if I understand correctly (I'm new to Go).

And I'm definitely not able to find any set-cookie headers in the request to oauth2_proxy's /callback.

Any thoughts?

from oauth2-proxy.

ap1969 avatar ap1969 commented on June 12, 2024

OK, I'm making some progress. I see from the nginx conf example, when using --set-authorization-header flag, some provider's cookies can exceed the 4kb, so that explains the output in the code above.

However, I'm still not setting the cookie headers.

from oauth2-proxy.

JoelSpeed avatar JoelSpeed commented on June 12, 2024

And I'm definitely not able to find any set-cookie headers in the request to oauth2_proxy's /callback.

Just to double check you mean the response here rather than the request? Do you have the --cookie-domain flag set? If not could you try it with this set?

Could you please also supply your complete configuration including the config file and flags? (redacting any sensitive information of course)

Could you also supply a snippet of the logs you get when you are trying this?

from oauth2-proxy.

JoelSpeed avatar JoelSpeed commented on June 12, 2024

Could you also try running a build from the latest master please?

from oauth2-proxy.

ghostsquad avatar ghostsquad commented on June 12, 2024

@infinitydon why do some of the args you are passing to oauth2_proxy start with 2 hyphens, and others 1 hyphen?

- args:
        - --provider=gitlab
        - --email-domain=*
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - -cookie-domain=.xxx-test.infra.xxx.eu
        - -whitelist-domain=.xxx-test.infra.xxx.eu

According to the oauth2_proxy --help, all arguments use a single hyphen (-)

from oauth2-proxy.

github-actions avatar github-actions commented on June 12, 2024

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

from oauth2-proxy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.