Hi there,
I am trying to set up Istio with Oauth2-proxy and Keycloak.
The authentication works, but by some reason Istio is removing headers sent to the upstream after successful authentication.
Here is my config:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: default
spec:
hub: docker.io/istio
tag: 1.10.0
profile: default
meshConfig:
extensionProviders:
- name: "oauth"
envoyExtAuthzHttp:
service: "oauth-oauth2-proxy.oauth.svc.cluster.local"
port: 80
includeHeadersInCheck:
- authorization
- cookie
headersToUpstreamOnAllow:
- authorization
- path
- cookie
- x-auth-request-access-token
- x-auth-request-user
- x-auth-request-email
headersToDownstreamOnDeny:
- content-type
- set-cookie
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: '%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%'
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: kind
value: DaemonSet
- path: spec.strategy
- path: spec.updateStrategy
value:
rollingUpdate:
maxUnavailable: 33%
type: RollingUpdate
- path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8080].hostPort
value: 80
- path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8443].hostPort
value: 443
This is the RequestAuthentication config:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: require-jwt
namespace: frontend
spec:
jwtRules:
- issuer: "https://keycloak.example.com/auth/realms/example"
jwksUri: "https://keycloak.example.com/auth/realms/example/protocol/openid-connect/certs"
And here’s the AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: frontend
spec:
action: CUSTOM
provider:
name: "oauth"
rules:
- to:
- operation:
paths: ["*"]
Any idea please?
Hi,
do you know which header will be removed? In the past I had an issue with the oauth2-proxy when configuring keycloak and using it with OIDC.
opened 02:46PM - 18 Jun 21 UTC
closed 12:05PM - 21 Jun 21 UTC
question
Running oauth2proxy does not forward Authorization header on my local test setup… . The local test setup consist of a running oauth2proxy plus a simple http server on localhost.
## Expected Behavior
Based on the configuration below I would expect that the authorization header is set in the upstream request to the simple web server: ``Authorization: Bearer <id-token>``
## Current Behavior
The forwarded headers are:
````
Cookie: _oauth2_proxy=***
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
X-Forwarded-For: 127.0.0.1
Host: localhost:4180
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Dnt: 1
X-Forwarded-Email: ***
````
## Your Environment
oauth2proxy running on localhost at port 4180
webserver running on localhost at port 8080
Running oauth2proxy (v7.1.3) with the following flags:
````
oauth2-proxy \
--provider=keycloak \
--provider-display-name="Keycloak" \
--oidc-issuer-url=*** \
--login-url=***\
--redeem-url=*** \
--validate-url=*** \
--pass-authorization-header=true \
--set-authorization-header=true \
--http-address=0.0.0.0:4180 \
--cookie-expire=0h1m0s \
--whitelist-domain="*" \
--cookie-domain=* \
--standard-logging=true \
--auth-logging=true \
--request-logging=true \
--skip-provider-button=true \
--upstream=http://localhost:8080 \
--email-domain=* \
--client-id="test-client" \
--client-secret=*** \
--redirect-url="http://localhost:4180/oauth2/callback" \
--cookie-secret=*********** \
--cookie-secure=false \
--set-xauthrequest=true
````
- Version used:
oauth2proxy v7.1.3
Hi @beatrausch ,
All headers are being removed but only from the browser.
I am following it also here
opened 06:44PM - 29 Jul 21 UTC
area/security
**Bug description**
I am trying to configure ExtAuthz with Oauth2-proxy and K… eycloak.
The authentication is successful but many headers are being removed from the Response Headers.
Just set **istioctl proxy-config log deploy/frontend --level "http:debug"** to check what was happening and I can see the headers reaching the istio-proxy but they aren't being shown in the browsers.
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade
**Expected behavior**
To see all the **headersToUpstreamOnAllow** set in the EnvouyExtAuthzHttp in the browser.
**Steps to reproduce the bug**
I applied the following config:
**IstioOperator**
```
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: default
spec:
hub: docker.io/istio
tag: 1.10.0
profile: default
meshConfig:
extensionProviders:
- name: "oauth"
envoyExtAuthzHttp:
service: "oauth-oauth2-proxy.oauth.svc.cluster.local"
port: 80
includeHeadersInCheck:
- authorization
- cookie
headersToUpstreamOnAllow:
- authorization
- path
- cookie
- x-auth-request-access-token
- x-auth-request-user
- x-auth-request-email
headersToDownstreamOnDeny:
- content-type
- set-cookie
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: '%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%'
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: kind
value: DaemonSet
- path: spec.strategy
- path: spec.updateStrategy
value:
rollingUpdate:
maxUnavailable: 33%
type: RollingUpdate
- path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8080].hostPort
value: 80
- path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8443].hostPort
value: 443
```
**RequestAuthentication**
```
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: require-jwt
namespace: frontend
spec:
jwtRules:
- issuer: "https://keycloak.example.com/auth/realms/example"
jwksUri: "https://keycloak.example.com/auth/realms/example/protocol/openid-connect/certs"
```
**AuthorizationPolicy**
```
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: frontend
spec:
action: CUSTOM
provider:
name: "oauth"
rules:
- to:
- operation:
paths: ["*"]
```
**Version** (include the output of `istioctl version --remote` and `kubectl version --short` and `helm version --short` if you used Helm)
```
istioctl version --remote
client version: 1.10.0
control plane version: 1.10.0
data plane version: 1.10.0 (26 proxies)
kubectl version --short
Client Version: v1.19.4
Server Version: v1.20.0
helm version --short
v3.4.1+gc4e7485
```
**How was Istio installed?**
Through istio-operator helm chart.
**Environment where the bug was observed (cloud vendor, OS, etc)**
Baremetal