Istio with oauth2-proxy only works with Safari and not Chrome or Firefox

Redirect after authentication not working in Chrome and Firefox but works in Safari.

I have oauth2-proxy deployed in Kubernetes with Istio authenticating with Github.

Expected Behavior

Current Behavior

Context

I am trying to use oauth2-proxy to add authentication to my Prometheus instance that verifies against Github. I’ve tried with and without Redis as a backend with the same results. Its very strange that Safari works at all. I’m not sure if this is an issue with the cookie Istio creates (it seems the same in both browsers) or some Istio config I’m overlooking. Any help would be appreciated!

Your Environment

Here are my configs:
Istio extensionProvider in meshConfig:

extensionProviders:
  - name: "oauth2-proxy"
    envoyExtAuthzHttp:
      service: oauth2-proxy.oauth2-proxy.svc.cluster.local
      port: 80
      timeout: 1.5s
      headersToDownstreamOnDeny:
        - content-type
        - set-cookie
      headersToUpstreamOnAllow:
        - authorization
        - "x-forwarded-access-token"
        - cookie
        - path
      includeHeadersInCheck:
        - "cookie"
        - "authorization"
      includeAdditionalHeadersInCheck:
          X-Auth-Request-Redirect: https://%REQ(Host)%

Istio Authorization Policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: prometheus-auth
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        hosts: 
        - "prometheus.mydomain.tld"

oauth2-proxy config file

provider      = "github"
    email_domains = [ "mydomain.tld" ]
    github_team   = "Infrastructure"
    upstreams = "static://200"
    cookie_samesite = "lax"
    cookie_secure = true
    # session_cookie_minimal = true
    cookie_domains = ".mydomain.tld"
    set_xauthrequest=true
    set_authorization_header=true
    pass_authorization_header=true
    pass_host_header=true
    pass_access_token=true
    silence_ping_logging = true
    standard_logging = true
    auth_logging = true
    request_logging = true
    reverse_proxy = true
    whitelist_domains = [".mydomain.tld"]
    redirect_url = "https://oauth2-proxy.mydomain.tld/oauth2/callback"

Prometheus Virtual Service

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: prometheus
  namespace: prometheus
spec:
  gateways:
  - istio-system/prometheus-gateway
  hosts:
  - prometheus.mydomain.tld
  http:
    - name: prometheus
      route:
      - destination:
          host: kube-prometheus-stack-prometheus
          port:
            number: 9090
  • istio version used: v1.10.1
  • oauth2-proxy Version used: v7.1.3

I’ve solved this by having oauth2-proxy served off the same gateway as Prometheus. I’m not sure why this fixes the issue but it does.