Oauth2-proxy - RBAC: access denied - redirect works

Security
1

Hello,

I have istio 1.11 running with custom external authorization using oauth2-proxy and keycloak. Redirecting and all seems to be working fine. However after signing in, I still get an RBAC: access denied message. This is odd because I can see oauth-proxy returning 200 for the requests:

127.0.0.6 - 15a1b580-44a1-4376-a4c4-acba90ae207d - dsach@my-nm.com [2021/08/20 05:17:49] staging.boom.bang.io GET static://200 "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0" 200 13 0.000

I feel like I’m missing something simple. Any ideas?

Here is my auth config

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-custom-auth
  namespace: my-nm
spec:
  selector:
    matchLabels:
      my-auth: enable
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
    - to:
      - operation:
          paths: ["*"]

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-allow-auth
  namespace: my-nm
spec:
  selector:
    matchLabels:
      my-auth: enable
  action: ALLOW
  rules:
    - to:
      - operation:
          paths: ["/oauth2/*"]

Here’s my mesh configmap:

apiVersion: v1
data:
  mesh: |-
    extensionProviders:
      - name: "oauth2-proxy"
        envoyExtAuthzHttp:
          service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
          port: "4180" # The default port used by oauth2-proxy.
          includeHeadersInCheck: # headers sent to the oauth2-proxy in the check request.
            # https://github.com/oauth2-proxy/oauth2-proxy/issues/350#issuecomment-576949334
            - "cookie"
            - "x-forwarded-access-token"
            - "x-forwarded-user"
            - "x-forwarded-email"
            - "authorization"
            - "x-forwarded-proto"
            - "proxy-authorization"
            - "user-agent"
            - "x-forwarded-host"
            - "from"
            - "x-forwarded-for"
            - "x-forwarded-uri"
            - "x-auth-request-redirect"
            - "accept"
          headersToUpstreamOnAllow:
            - "authorization"
            - "path"
            - "x-auth-request-user"
            - "x-auth-request-email"
            - "x-auth-request-access-token"
            - "x-auth-request-user-groups"
            - "cookie"
          headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied.
    defaultConfig:
      discoveryAddress: istiod.istio-system.svc:15012
      proxyMetadata: {}
      tracing:
        zipkin:
          address: zipkin.istio-system:9411
    enablePrometheusMerge: true
    rootNamespace: istio-system
    trustDomain: cluster.local
  meshNetworks: 'networks: {}'
kind: ConfigMap
metadata:
  annotations:
  labels:
    install.operator.istio.io/owning-resource: unknown
    install.operator.istio.io/owning-resource-namespace: istio-system
    istio.io/rev: default
    operator.istio.io/component: Pilot
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.11.0
    release: istio
  name: istio
  namespace: istio-system

Here’s my oauth-proxy config:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: redis
        image: redis
        ports:
        - containerPort: 6379
          name: redis
          protocol: TCP

      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
        args:
        - --provider=oidc
        - --cookie-secure=true
        - --cookie-samesite=lax
        - --cookie-refresh=15m
        - --cookie-expire=20m
        - --cookie-name=nm
        - --set-authorization-header=true
        - --pass-authorization-header=true
        - --set-xauthrequest
        - --pass-access-token=true
        - --scope=openid
        - --email-domain=*
        - --http-address=0.0.0.0:4180
        - --upstream=static://200
        - --skip-provider-button=true
        - --whitelist-domain=.my-nm.io
        - --whitelist-domain=.my-nm2.com
        - --session-store-type=redis
        - --silence-ping-logging=true
        - --redis-connection-url=redis://localhost:6379
        - --skip-jwt-bearer-tokens=true
        - --request-logging=true
        - --auth-logging=true
        - --standard-logging=true
        - --reverse-proxy
        - --set-xauthrequest
        - --client-id=$(OAUTH2_PROXY_CLIENT_ID)
        - --client-secret=$(OAUTH2_PROXY_CLIENT_SECRET)
        env:
        - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS
          value: 'https://auth.my-nm-2.com/auth/realms/nm=account'
        - name: OAUTH2_PROXY_OIDC_ISSUER_URL
          value: 'https://auth.my-nm-2.com/auth/realms/nm'
        - name: OAUTH2_PROXY_LOGIN_URL
          value: 'https://auth.my-nm-2.com/auth/realms/nm/protocol/openid-connect/auth'
        - name: OAUTH2_PROXY_REDEEM_URL
          value: 'https://auth.my-nm-2.com/auth/realms/nm/protocol/openid-connect/token'
        - name: OAUTH2_PROXY_VALIDATE_URL
          value: 'https://auth.my-nm2.com/auth/realms/nm/protocol/openid-connect/userinfo'
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_ID
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_SECRET
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_COOKIE_SECRET
        resources:
          requests:
            cpu: 10m
            memory: 100Mi
        ports:
        - containerPort: 4180
          protocol: TCP
        readinessProbe:
          periodSeconds: 3
          httpGet:
            path: /ping
            port: 4180
2

Do you have your RequestAuthentication with the same list of issuers + header forward somewhere?