Istio with oauth2-proxy only works with Safari and not Chrome or Firefox

Redirect after authentication not working in Chrome and Firefox but works in Safari.

I have oauth2-proxy deployed in Kubernetes with Istio authenticating with Github.

Expected Behavior

• Go to https://prometheus.mydomain.tld
• Redirect to login
• Authenticate against Github
• Redirect to Prometheus instance

Current Behavior

• Go to https://prometheus.mydomain.tld
• Redirect to login
• Authenticate against Github
• Sent to a blank page that returns a 404 with the following URL:
  https://oauth2-proxy.mydomain.tld/oauth2/callback?code=1234&state=somestuff%3Ahttps%3A%2F%2Fprometheus.mydomain.tld

Context

I am trying to use oauth2-proxy to add authentication to my Prometheus instance that verifies against Github. I’ve tried with and without Redis as a backend with the same results. Its very strange that Safari works at all. I’m not sure if this is an issue with the cookie Istio creates (it seems the same in both browsers) or some Istio config I’m overlooking. Any help would be appreciated!

Your Environment

Here are my configs:
Istio extensionProvider in meshConfig:

extensionProviders:
  - name: "oauth2-proxy"
    envoyExtAuthzHttp:
      service: oauth2-proxy.oauth2-proxy.svc.cluster.local
      port: 80
      timeout: 1.5s
      headersToDownstreamOnDeny:
        - content-type
        - set-cookie
      headersToUpstreamOnAllow:
        - authorization
        - "x-forwarded-access-token"
        - cookie
        - path
      includeHeadersInCheck:
        - "cookie"
        - "authorization"
      includeAdditionalHeadersInCheck:
          X-Auth-Request-Redirect: https://%REQ(Host)%

Istio Authorization Policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: prometheus-auth
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts: 
        - "prometheus.mydomain.tld"

oauth2-proxy config file

provider      = "github"
    email_domains = [ "mydomain.tld" ]
    github_team   = "Infrastructure"
    upstreams = "static://200"
    cookie_samesite = "lax"
    cookie_secure = true
    # session_cookie_minimal = true
    cookie_domains = ".mydomain.tld"
    set_xauthrequest=true
    set_authorization_header=true
    pass_authorization_header=true
    pass_host_header=true
    pass_access_token=true
    silence_ping_logging = true
    standard_logging = true
    auth_logging = true
    request_logging = true
    reverse_proxy = true
    whitelist_domains = [".mydomain.tld"]
    redirect_url = "https://oauth2-proxy.mydomain.tld/oauth2/callback"

Prometheus Virtual Service

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: prometheus
  namespace: prometheus
spec:
  gateways:
  - istio-system/prometheus-gateway
  hosts:
  - prometheus.mydomain.tld
  http:
    - name: prometheus
      route:
      - destination:
          host: kube-prometheus-stack-prometheus
          port:
            number: 9090

• istio version used: v1.10.1
• oauth2-proxy Version used: v7.1.3

I’ve solved this by having oauth2-proxy served off the same gateway as Prometheus. I’m not sure why this fixes the issue but it does.

What do you mean by this can you show your code

Its been a year my dude so I don’t remember exactly but I think the long and short of it was:

• I had two gateways
• Each gateway had a TLS cert generated by cert-manager, one was a wildcard cert and one was a subdomain of the same cert as the wildcard cert.
• Firefox gets mad when a domain has two certs and will cause some random behavior depending on which cert is cached first.
• I ended up making 1 gateway to handle both routes and terminating them with a single wildcard TLS cert.