Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Setting proxy-prefix in helm seems to break login #222

Open
adam-long opened this issue May 14, 2024 · 4 comments
Open

[Bug]: Setting proxy-prefix in helm seems to break login #222

adam-long opened this issue May 14, 2024 · 4 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@adam-long
Copy link

adam-long commented May 14, 2024

OAuth2-Proxy Version

7.6

Provider

keycloak-oidc

Expected Behaviour

Same behavior as using default oauth2 proxy-prefix.

Current Behaviour

Attempting to login to an ingress using oauth2proxy as a defined prefix results in a 403 error page from nginx.

Steps To Reproduce

  1. Set oauth2-proxy.extraArgs.proxy-prefix: "oauth2proxy"
  2. Set the oauth2-proxy Ingress path to "/oauth2proxy"
  3. Set Ingress for protected resource (I used a basic nginx deployment with the stock Hello World HTML for testing) to use "/oauth2proxy" instead of default "/oauth2"
  4. Deploy resources
  5. Visit resource defined in step 3 in web browser
  6. Receive 403 Forbidden from the Ingress NGINX without attempt to login.

Possible Solutions

No response

Configuration details or additional information

I'm attempting to deploy oauth2-proxy using Helm on the same hostname that has another application already using /oauth2, so I'm attempting to change the prefix used by oauth2-proxy. My setup is pretty simple for Kubernetes - I have a basic Keycloak (23.0.6), NGINIX Ingress, oauth2-proxy, and a basic nginx deployment displaying the stock welcome message.

I'm attempting to protect the basic nginx deployment using oauth2-proxy. I have it working using the default proxy-prefix of /oauth2, but if I make the modifications in the "step to reproduce", I end up with a 403 error message and no attempt to login to send to Keycloak for authentication.

I've removed the conflicting application in an attempt to get this to work and reduced it down to only ingress, keycloak, oauth2-proxy, and the basic nginx deployment.

Looking at the logs for the ingress pod as well as oauth2-proxy, they register the 403 result, but that's it. It's not clear to me what else I need to configure in order to change the prefix for oauth2-proxy.

@adam-long adam-long added bug Something isn't working help wanted Extra attention is needed labels May 14, 2024
Copy link

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@JoelSpeed JoelSpeed transferred this issue from oauth2-proxy/oauth2-proxy Jul 14, 2024
@pierluigilenoci
Copy link
Contributor

@adam-long, can you attach the deployment manifest produced with your configuration to this issue?

@pierluigilenoci
Copy link
Contributor

@JoelSpeed, the extraArgs are passed without modifications or processing.
So it can't be a chart issue. Because otherwise, none of them would work.
Ref: https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/deployment.yaml#L126-L139
So, please transfer the issue back. 🙏🏻

@adam-long Sorry, but I can't help you more.
If the issue is not transferred back to the correct repo, I suggest you reopen it by increasing the configuration details and making it explicit that it is not a chart problem.
Using the word "helm" in the title has shifted attention away from the problem. 🤷🏻‍♂️

@adam-long
Copy link
Author

Thanks for looking at it @pierluigilenoci - this dropped off my plate. I'll try to pick it back up again and see if I can give you a bit more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants