How to get oauth2_proxy running in kubernetes under one domain to redirect back to original domain that required authentication?

4/20/2019

I've been setting up a kubernetes cluster and want to protect the dashboard (running at kube.example.com) behind the bitly/oauth2_proxy (running at example.com/oauth2 on image a5huynh/oauth2_proxy:latest) as I want to re-use the OAuth proxy for other services I will be running. Authentication is working perfectly but after a user logs in, i.e. the callback returns, they are sent to example.com where instead they should be sent to the original host kube.example.com that initiated the flow. How can I do this? (I am using the nginx-ingress-controller).

Annotation on OAuth2 Proxy:

kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"

Annotation on Dashboard:

kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"

I expect to be redirected to the original host kube.example.com after OAuth flow is complete but am being sent back to the OAuth2 host example.com

-- danieljimeneznz
docker
kubernetes
nginx
nginx-ingress
oauth-2.0

1 Answer

4/20/2019

After searching for a bit I came across a blog post about performing this in a super simple manor. Unfortunately I found the provided yaml did not quite work correctly as the oauth2_proxy was never being hit due to nginx intercepting all requests (I am not sure if mine was not working due to me wanting the oauth-proxy url to be example.com/oauth2 rather than oauth2.example.com). To fix this I added back the oauth2-proxy path to the Ingress for the proxy i.e.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: oauth2-proxy
              servicePort: 80
            path: /
          - backend:
              serviceName: oauth2-proxy
              servicePort: 4180
            path: /oauth2

and made sure that the service was also still exposed i.e.

apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: default
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: http-proxy
      port: 4180
      protocol: TCP
      targetPort: 4180
  selector:
    k8s-app: oauth2-proxy

Then to protect services behind the oauth proxy I just need to place the following in the Ingress annotations:

    nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"
-- danieljimeneznz
Source: StackOverflow