Redirected to root after login using oauth2-proxy

Traefik Traefik v2 (latest)
,
1

Hi, I've tried to find an answer over at oauth2-proxy first, but got redirected here.
I'm running Traefik 2.4.9 in a Kubernetes 1.20 cluster, using Keycloak as an OIDC provider.
While I've got thomseddon's traefik-forward-auth working, I just can't get Oauth2-proxy to redirect correctly.

The full details and manifests used can be found in the GitHub issue listed above, but basically:
I'm running all my services on specific subpaths of a single subdomain. Whenever trying to log in using Oauth2-proxy, after going through the auth flow, I get redirect to sub.domain.com instead of sub.domain.com/original/path.

The rd parameter in the the oauth2-proxy logs consist of only the subdomain, instead of the full redirect path:
10.244.1.0 - 039656ce-97cb-4289-b8b8-03c5f3dfa708 - - [2021/10/19 09:17:14] sub.domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fsub.domain.com%2F" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" 302 360 0.000

It was suggested that some Traefik settings might be incorrectly configured. I'm running the traefik helm chart with near to unchanged default settings. Does anyone have any idea what settings would affect this redirection behaviour?
Relevant feedback I got from Oauth2-proxy's side:

So looks to me like, whatever is injecting "/oauth2/start?rd=https%3A%2F%2Fexample.com%2F" is not injecting the path. Looking at the rd value here, you are only setting the redirect to the root of the domain ( %2F being / ). So you need to remove that rd parameter to allow the traefik headers to take precedence in the redirect fetching logic.

Otherwise, you need to update whatever is injecting the rd paremeter to also include the path as well, how you'll do that I'm not sure though.

I've tried multiple combinations of Traefik middlewares and Oauth2-proxy settings, amongst others the two suggested configs in Oauth2-proxy's docs.

This topic describes the exact same issue in a slightly different environment, and while the static redirects can be used as a workaround, they are far from ideal.

1 Like
2

Just a pointer for people coming here, there are suggested workarounds at the oauth2-proxy issue Ianmarti pointed to, i.e. Not redirecting to subpath after login using Traefik's 401 errors middleware · Issue #1297 · oauth2-proxy/oauth2-proxy · GitHub

3

Hello @jonananas thanks for your link, but I'm unsure about how to reproduce your hack.

4

I am using:
- "OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR=/templates"
where I copy the original templates and only edit sign_in.html, where I add
(function() {
var inputs = document.getElementsByName('rd');
for (var i = 0; i < inputs.length; i++)
inputs[i].value = window.location;
})();

See jonananas/traefik-oauth2-proxy on github for a complete setup - I cannot paste the link here, not sure why

1 Like
5
6

I wonder why you couldn't publish your project URL, but this is the link I pushed in my previous message.

Anyways,.. I also managed to set up your hack/workaround on my infrastructure, and I would also advice you to put the cookie settings in the settings to double check (along with the whitelist_domainS vs whitelist_domain) since those 2 took me some time to find what I was doing wrong.

But it works great, thanks a lot !

PS : have you tried pushing an MR to the Oauth2_proxy project with your sign_in modification ?

7

Thanks,
I am not sure what you mean with cookie settings, do you mean I should add a setting or document a setting?

I have not pushed an PR/MR since I look at the js hack as a temporary workaround and suspect a better solution could be implemented in the Go code.

Glad to hear it works for you!

8

Sorry, I meant the HTTP headers, not the cookie !

I'm not sure what is the minimal set to have your workaround working, but I had to modify the options on authResponseHeaders so that it works for me : I was at least missing X-Auth-Request-Access-Token,Authorization,X-Auth-Request-Redirect

I made it work with this setting :

      traefik.http.middlewares.oauth-verify.forwardAuth.authResponseHeaders: "X-Auth-Request-User,X-Auth-Request-Email,Set-Cookie,X-Auth-Request-Access-Token,Authorization,X-Auth-Request-Redirect"
9

complete oauth2-proxy docker-compose.yml

  oauth:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
    container_name: oauth
    restart: always
    healthcheck:
      test: ["CMD", "wget", "--tries=1", "--spider", "http://oauth:4180/ping"]
      interval: 60s 
      timeout: 10s
    labels:
      ai.ix.expose: 'true'
      traefik.enable: 'true'
      traefik.http.middlewares.oauth-verify.forwardAuth.address: http://oauth:4180/oauth2/auth
      traefik.http.middlewares.oauth-verify.forwardAuth.trustForwardHeader: 'true'
      traefik.http.middlewares.oauth-verify.forwardAuth.authResponseHeaders: "X-Auth-Request-User,X-Auth-Request-Email,Set-Cookie,X-Auth-Request-Access-Token,Authorization,X-Auth-Request-Redirect"
      traefik.http.middlewares.oauth-signin.errors.service: oauth@docker
      traefik.http.middlewares.oauth-signin.errors.status: '401'
      traefik.http.middlewares.oauth-signin.errors.query: /oauth2/sign_in
      traefik.http.routers.oauth.entrypoints: websecure
      traefik.http.routers.oauth.rule: Host(`oauth.${DOMAIN?err}`) || PathPrefix(`/oauth2`)
      traefik.http.routers.oauth.tls.certResolver: myresolver
      traefik.http.routers.oauth.service: oauth@docker
      traefik.http.services.oauth.loadbalancer.server.port: '4180'
    volumes:
      - "./oauth_templates:/templates"  
    environment:
            # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#environment-variables
      OAUTH2_PROXY_PROVIDER: gitlab
      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
      OAUTH2_PROXY_GITLAB_GROUP: "${OAUTH2_PROXY_GITLAB_GROUP}" 
      OAUTH2_PROXY_CLIENT_ID: "${OAUTH2_PROXY_CLIENT_ID?err}"
      OAUTH2_PROXY_CLIENT_SECRET: "${OAUTH2_PROXY_CLIENT_SECRET?err}"
      OAUTH2_PROXY_COOKIE_DOMAINS: "${DOMAIN?err}"
      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
      OAUTH2_PROXY_COOKIE_SECURE: 'true'
      OAUTH2_PROXY_COOKIE_SECRET: "${OAUTH2_PROXY_COOKIE_SECRET?err}"
      OAUTH2_PROXY_FOOTER: '-'
      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
      OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
      OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
      OAUTH2_PROXY_REVERSE_PROXY: 'true'
      OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
      OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
      OAUTH2_PROXY_WHITELIST_DOMAIN: '.${DOMAIN?err}'
      OAUTH2_PROXY_WHITELIST_DOMAINS: '.${DOMAIN?err}'
      OAUTH2_PROXY_REDIRECT_URL: "https://oauth.${DOMAIN?err}/oauth2/callback"
      OAUTH2_PROXY_INSECURE_OIDC_SKIP_NONCE: 'false'
      # Customize login page - next four
      OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR: "/templates"
      OAUTH2_PROXY_CUSTOM_SIGN_IN_LOGO: "/templates/logo.png"
      OAUTH2_PROXY_BANNER: "Welcome to server ${DOMAIN?err}"
      OAUTH2_PROXY_FOOTER: "-"
    networks:
      - internal
      - docker-proxy-internal
10

cf. Not routing back to original URL (if not previously logged-in) · Issue #1639 · oauth2-proxy/oauth2-proxy · GitHub discussion on this topic.