External Authorization with OAuth_Proxy2 GET 404

Hi,

I have followed this post but I haven’t been able to make it work.

I can authenticate through oauth2 proxy but when I am authenticated, I get always a 404.

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oauth-proxy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
    - to:
      - operation:
          hosts: [
            "kibana.example.com"
          ]

Istio config

meshConfig:
    extensionProviders:
      - name: "oauth2-proxy"
        envoyExtAuthzHttp:
          service: "oauth2-oauth2-proxy.oauth2.svc.cluster.local"
          port: "80"
          includeHeadersInCheck: ["authorization", "cookie"] 
          headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
          headersToDownstreamOnDeny: ["content-type", "set-cookie"]

OAuth2 Proxy config

extraArgs:
  provider: oidc
  oidc-issuer-url: https://accounts.google.com
  email-domain: example.com
  session-store-type: redis
  redis-connection-url: redis://redis-master.oauth2.svc.cluster.local:6379
  set-authorization-header: "true"
  pass-authorization-header: "true"
  pass-host-header: "false"
  cookie-name: _oauth2_proxy_istio
  cookie-domain: .example.com
  cookie-refresh: 1h
  cookie-expire: 4h
  cookie-secure: "true"
  cookie-samesite: lax
  skip-provider-button: "true"
  pass-access-token: "true"
  silence-ping-logging: "true"
  whitelist-domain: .example.com
  set-xauthrequest: "true"
  reverse-proxy: "true"

Logs:

oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 -  user@example.com[2021/02/13 12:32:55] kibana.example.com GET - "/" HTTP/1.1 "" 404 19 0.005
oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 - user@example.com [2021/02/13 12:32:57] kibana.example.com GET - "/" HTTP/1.1 "" 404 19 0.000
oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 -  user@example.com [2021/02/13 12:32:57] kibana.example.com GET - "/favicon.ico" HTTP/1.1 "" 404 19 0.000

Istio version: 1.9.0
OAuth Proxy version: 7.0.0

Thanks!!

1 Like

Facing similar problem.

My problem is I need to route to /auth for a legacy service auth.testing.svc.cluster.local , but I found nowhere to modify the path in mesh config.
That is:

  1. example.com/v0/user* enters mesh
  2. it should first route to /auth of auth.testing.svc.cluster.local to get a token
  3. continue to /v0/user* of app.testing.svc.cluster.local

AuthorizationPolicy

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: legacy-member-authz
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: CUSTOM
  provider:
    name: legacy-auth-proxy
  rules:
  - to:
    - operation:
        paths: ["/v0/user*"]

Istio config

data:
  mesh: |-
    extensionProviders:
    - name: "legacy-auth-proxy"
      envoyExtAuthzHttp:
        service: "auth.testing.svc.cluster.local"
        port: "8000"
        includeHeadersInCheck: ["authorization", "cookie"] # headers sent in the check request.
        headersToUpstreamOnAllow: ["authorization", "x-testing-authenticate", "x-developer-id"] # headers sent to backend application when request is allowed.
        headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied.

This is probably in your oauth2-proxy configuration, could you try to configure your oauth2-proxy with the --upstream="static://200" and see if it solves the 404 problem?

By the way, you could also try the following oauth2-proxy configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --http-address=127.0.0.1:4180
        - --provider=google
        - --email-domain=*
        - --cookie-refresh=1h
        - --cookie-secure=false # Set to false for test environment only
        - --set-xauthrequest # X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Preferred-Username, X-Auth-Request-Groups
        - --pass-access-token # X-Auth-Request-Access-Token, must first enable --set-xauthrequest
        - --set-authorization-header # Authorization: Bearer <JWT>
        - --upstream="static://200"
        - --reverse-proxy
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          value: "<YOUR_CLIENT_ID>"
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: "<YOUR_CLIENT_SECRET>"
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: "<YOUR_COOKIE_SECRET>" # could be generated with python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.1
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180

Maybe you could set the path_prefix to /auth in the mesh config.

yes, this is my current workaround, and I also think using path_prefix is a better generalization to support more auth checking for url param

I don’t know why but changing the cookie name to the default value now works…

  cookie-name: _oauth2_proxy

Thanks!