ichasco
February 13, 2021, 12:56pm
1
Hi,
I have followed this post but I haven’t been able to make it work.
I can authenticate through oauth2 proxy but when I am authenticated, I get always a 404.
AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: oauth-proxy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: CUSTOM
provider:
name: "oauth2-proxy"
rules:
- to:
- operation:
hosts: [
"kibana.example.com"
]
Istio config
meshConfig:
extensionProviders:
- name: "oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-oauth2-proxy.oauth2.svc.cluster.local"
port: "80"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
OAuth2 Proxy config
extraArgs:
provider: oidc
oidc-issuer-url: https://accounts.google.com
email-domain: example.com
session-store-type: redis
redis-connection-url: redis://redis-master.oauth2.svc.cluster.local:6379
set-authorization-header: "true"
pass-authorization-header: "true"
pass-host-header: "false"
cookie-name: _oauth2_proxy_istio
cookie-domain: .example.com
cookie-refresh: 1h
cookie-expire: 4h
cookie-secure: "true"
cookie-samesite: lax
skip-provider-button: "true"
pass-access-token: "true"
silence-ping-logging: "true"
whitelist-domain: .example.com
set-xauthrequest: "true"
reverse-proxy: "true"
Logs:
oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 - user@example.com[2021/02/13 12:32:55] kibana.example.com GET - "/" HTTP/1.1 "" 404 19 0.005
oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 - user@example.com [2021/02/13 12:32:57] kibana.example.com GET - "/" HTTP/1.1 "" 404 19 0.000
oauth2-oauth2-proxy-859774c77f-kcmgw oauth2-proxy 127.0.0.1 - user@example.com [2021/02/13 12:32:57] kibana.example.com GET - "/favicon.ico" HTTP/1.1 "" 404 19 0.000
Istio version: 1.9.0
Thanks!!
1 Like
Facing similar problem.
My problem is I need to route to /auth for a legacy service auth.testing.svc.cluster.local , but I found nowhere to modify the path in mesh config.
example.com/v0/user* enters mesh
it should first route to /auth of auth.testing.svc.cluster.local to get a token
continue to /v0/user* of app.testing.svc.cluster.local
AuthorizationPolicy
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: legacy-member-authz
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: CUSTOM
provider:
name: legacy-auth-proxy
rules:
- to:
- operation:
paths: ["/v0/user*"]
Istio config
data:
mesh: |-
extensionProviders:
- name: "legacy-auth-proxy"
envoyExtAuthzHttp:
service: "auth.testing.svc.cluster.local"
port: "8000"
includeHeadersInCheck: ["authorization", "cookie"] # headers sent in the check request.
headersToUpstreamOnAllow: ["authorization", "x-testing-authenticate", "x-developer-id"] # headers sent to backend application when request is allowed.
headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied.
This is probably in your oauth2-proxy configuration, could you try to configure your oauth2-proxy with the --upstream="static://200" and see if it solves the 404 problem?
By the way, you could also try the following oauth2-proxy configuration:
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- args:
- --http-address=127.0.0.1:4180
- --provider=google
- --email-domain=*
- --cookie-refresh=1h
- --cookie-secure=false # Set to false for test environment only
- --set-xauthrequest # X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Preferred-Username, X-Auth-Request-Groups
- --pass-access-token # X-Auth-Request-Access-Token, must first enable --set-xauthrequest
- --set-authorization-header # Authorization: Bearer <JWT>
- --upstream="static://200"
- --reverse-proxy
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: "<YOUR_CLIENT_ID>"
- name: OAUTH2_PROXY_CLIENT_SECRET
value: "<YOUR_CLIENT_SECRET>"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: "<YOUR_COOKIE_SECRET>" # could be generated with python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.1
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
spec:
selector:
app: oauth2-proxy
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
1 Like
Maybe you could set the path_prefix to /auth in the mesh config.
yes, this is my current workaround, and I also think using path_prefix is a better generalization to support more auth checking for url param
ichasco
February 27, 2021, 6:05pm
6
I don’t know why but changing the cookie name to the default value now works…
cookie-name: _oauth2_proxy
Thanks!
Set --upstream="static://200" works for me. Thanks!
I am facing same issue, didnt help setting this