K
Q

How to get oauth2_proxy running in kubernetes under one domain to redirect back to original domain that required authentication?

4/20/2019

I've been setting up a kubernetes cluster and want to protect the dashboard (running at kube.example.com) behind the bitly/oauth2_proxy (running at example.com/oauth2 on image a5huynh/oauth2_proxy:latest) as I want to re-use the OAuth proxy for other services I will be running. Authentication is working perfectly but after a user logs in, i.e. the callback returns, they are sent to example.com where instead they should be sent to the original host kube.example.com that initiated the flow. How can I do this? (I am using the nginx-ingress-controller).

Annotation on OAuth2 Proxy:

kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"

Annotation on Dashboard:

kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"

I expect to be redirected to the original host kube.example.com after OAuth flow is complete but am being sent back to the OAuth2 host example.com

-- danieljimeneznz
docker
kubernetes
nginx
nginx-ingress
oauth-2.0

Similar Questions

Persistent volume isn't matched with a claim
Whitelisting IP addresses for network traffic through Istio gateways
FailedAttachVolume error on Kubernetes with StorageOS
Grabbing a pod's IP address from another pod
Kubernetes copy image data to volume mounts
Is it possible to display the Traefik IngressRoutes in the Kubernetes Dashboard?
How to expose nginx in Minikube to outside

1 Answer

4/20/2019

After searching for a bit I came across a blog post about performing this in a super simple manor. Unfortunately I found the provided yaml did not quite work correctly as the oauth2_proxy was never being hit due to nginx intercepting all requests (I am not sure if mine was not working due to me wanting the oauth-proxy url to be example.com/oauth2 rather than oauth2.example.com). To fix this I added back the oauth2-proxy path to the Ingress for the proxy i.e.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: oauth2-proxy
              servicePort: 80
            path: /
          - backend:
              serviceName: oauth2-proxy
              servicePort: 4180
            path: /oauth2

and made sure that the service was also still exposed i.e.

apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: default
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: http-proxy
      port: 4180
      protocol: TCP
      targetPort: 4180
  selector:
    k8s-app: oauth2-proxy

Then to protect services behind the oauth proxy I just need to place the following in the Ingress annotations:

    nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"
-- danieljimeneznz
Source: StackOverflow