Hey @YangminZhu , I’ve tried better external authorization to setup the system.
I can see Oauth2-Proxy is getting authorization header(jwt token) but same token in not reaching to nginx container(test app in my case) even though - --set-authorization-header=true is set in Oauth2-Proxy deployment
Below is my setup
Istio 1.9.2
nginx container is not getting the Authorization header(JWT token)
Below is my config for Oauth2-Proxy deployment
apiVersion: apps/v1
name: oauth2-proxyquay.io/oauth2-proxy/oauth2-proxy:latest
–session-store-type=redis
–redis-connection-url=redis://redis-master.redis.svc.cluster.local:6379
–provider=oidc
–cookie-samesite=lax
–cookie-refresh=1h
–cookie-expire=4h
–email-domain=*
–http-address=0.0.0.0:4180
–upstream=static://200
–skip-provider-button=true
–whitelist-domain=.xyz.net
–oidc-issuer-url=http://keycloak-service:10003/auth/realms/testrealm
–login-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/auth
–redeem-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/token
–validate-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
–profile-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
–standard-logging=true
–auth-logging=true
–request-logging=true
–cookie-secure=false
–cookie-name=_oauth2_proxy_istio_ingressgateway
–cookie-httponly=true
–cookie-domain=.xyz.net
–insecure-oidc-allow-unverified-email=true
–set-xauthrequest=true
–set-authorization-header=true
–pass-access-token=true
–pass-authorization-header=true
–scope=openid
name: OAUTH2_PROXY_CLIENT_ID
name: OAUTH2_PROXY_CLIENT_SECRET
name: OAUTH2_PROXY_COOKIE_SECRET
containerPort: 4180
Mesh Config
apiVersion: v1
data:
mesh: |-
extensionProviders:
- name: "oauth2-proxy.oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
port: "4180"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
@YangminZhu FYI. The authorization policy with CUSTOM action seems right to me. The documentation is about a sample external authorizer. Not sure if there’s anything missing can lead to this when used with OAuth2-proxy.
Hello, Below is my understanding
Envoy’s external authorization filter expects ‘HTTP 200’ ( --upstream=static://200) then only it will redirect to istio ingress gateway url/or url which we hit in browser first. If I hit ingress-gateway-url/oauth2/auth(with HTTP 202) endpoint I can see authorization header.
@YangminZhu @incfly : Any help or lead would help me a lot, It seems I’m near but not able to get authorization header.
@incfly Below is formatted yaml
apiVersion: v1
kind: Namespace
metadata:
name: oauth2-proxy
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
selector:
app: oauth2-proxy
ports:
- name: http
port: 4180
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.1
args:
- --session-store-type=redis
- --redis-connection-url=redis://redis-master.redis.svc.cluster.local:6379
- --provider=oidc
- --provider-display-name=Keycloak
- --cookie-samesite=lax
- --cookie-refresh=1h
- --cookie-expire=4h
- --email-domain=*
- --http-address=127.0.0.1:4180
- --upstream=static://200
- --skip-provider-button=true
- --whitelist-domain=.xyz.net
- --oidc-issuer-url=http://keycloak-svc:10003/auth/realms/testrealm
- --login-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/auth
- --redeem-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/token
- --validate-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
- --profile-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
- --standard-logging=true
- --auth-logging=true
- --request-logging=true
- --cookie-secure=false
- --cookie-name=_oauth2_proxy
- --cookie-httponly=true
- --cookie-domain=.xyz.net
- --insecure-oidc-allow-unverified-email=true
- --scope=openid
- --skip-auth-strip-headers=false
- --pass-authorization-header=true
- --set-xauthrequest=true
- --pass-access-token=true
- --set-authorization-header=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: testclient
- name: OAUTH2_PROXY_CLIENT_SECRET
value: a64bc82a-8d8b-4f09-930c-ce4cd1463661
- name: OAUTH2_PROXY_COOKIE_SECRET
value: 892c869573095108535811657f0408ea
ports:
- containerPort: 4180
protocol: TCP
And Mesh Config
apiVersion: v1
data:
mesh: |-
extensionProviders:
- name: "oauth2-proxy.oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
port: "4180"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
Hi @Rahul_Raman_Mishra ,
Hey @ricosega ; Yes I was able to solve the it. Do you have any questions?
Yep, finally got it. Thank you.
@Rahul_Raman_Mishra can you share any details on you solved your issue?
Can you share how? Thank you in advance.
pkmuru
December 29, 2021, 12:54pm
10
I had a same issue, delete and redeply the AuthorizationPolicy fixed the issue for me. also make sure no typo in headersToUpstreamOnAllow.
Hello guys,
Have you managed to resolve this problem? I still encounter this issue…