K
Q

Oauth2-Proxy do not pass X-Auth-Request-Groups header

11/3/2020

I'm using Azure B2C for authenticate my users. For authentication piece I have oauth2-proxy running in kubernetes cluster. Oauth2-Proxy is running behind ingress-nginx and it's passing most of required headers but I do not get X-Auth-Request-Groups header in my upstream service that is behind oauth2-proxy.

Here is my token that I get from B2C:

{
 "typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
    "exp": 1604420825,
    "nbf": 1604417225,
    "ver": "1.0",
    "iss": "iss_value",
    "sub": "sub_value",
    "aud": "aud_value",
    "acr": "acr_name",
    "nonce": "defaultNonce",
    "iat": 1604417225,
    "auth_time": 1604417225,
    "groups": [
        "group1"
     ],
     "identityProviders": [
        "email.com"
      ],
    "firstname": "First Name",
    "surname": "Last Name",
    "idp": "IDP_VALUE",
    "email": "username@email.com",
    "preferred_username": "User Name"
 }.[Signature]

And here are headers that I get in my upstream service after successful authentication:

{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "username@email.com",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}

all X-Auth-Request-* headers are coming but not the one with Groups. I'm using docker image quay.io/oauth2-proxy/oauth2-proxy:v6.1.1 and I saw in config https://oauth2-proxy.github.io/oauth2-proxy/configuration option "--oidc-groups-claim" but when I try to use it container won't start because this option isn't available in this version.

Any ideas what I'm missing?

-- kosmit
azure-ad-b2c
kubernetes
oauth-2.0
oauth2-proxy
proxy

Similar Questions

Kubernetes RBAC rules for PersistentVolume
aws eks kubernetes log into Cloudwatch
metrics-server request canceled while waiting for connection on Kubernetes
How to start stopped container using kubernetes?
Connection from private cluster pods to another private clusters master

1 Answer

11/3/2020

It seems that the problem is image that I'm using quay.io/oauth2-proxy/oauth2-proxy:v6.1.1, when I built own image from latest master (3rd of November 2020) everything seems to be working fine and X-Auth-Request-Groups header is passed to upstream service.

-- kosmit
Source: StackOverflow