[SOLVED] Forwardauth with oauth2-proxy

Hello guys! I am trying to migrate my traefik-forward-auth container to oauth2-proxy and I am stuck.

I am trying to follow this: Integration | OAuth2 Proxy
I think the problem is in my configured forwardauth.address.

  • When I set it to http://forward-auth:4180/oauth2/auth, I can reach my service when already authenticated, but when I visit the page unauthenticated, I just get "Unauthorized" error instead of offering me to log-in.
  • When I set it to http://forward-auth:4180, I can log in, but after logging, I just get 404 instead of reaching my service.

My current setup:

version: "3"

networks:
  traefik_proxy:
    external: true


services:
  repository:
    image: containous/whoami
    deploy:
      labels:
        - "traefik.enable=true"
  
        # Oauth connector
        - "traefik.http.routers.nexus.rule=Host(`${NEXUS_HOSTNAME}`)"
        - "traefik.http.routers.nexus.entrypoints=websecure"
        - "traefik.http.routers.nexus.tls=true"
        - "traefik.http.routers.nexus.service=nexus"
        - "traefik.http.routers.nexus.priority=10"
        - "traefik.http.services.nexus.loadbalancer.server.port=80"
        - "traefik.http.routers.nexus.middlewares=nexus-forward-auth"
        - "traefik.http.middlewares.nexus-forward-auth.forwardauth.address=http://forward-auth:4180/oauth2/auth"
        - "traefik.http.middlewares.nexus-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User,X-Forwarded-Email,X-Forwarded-Preferred-Username,X-Forwarded-Groups,X-Auth-Request-Access-Token,Authorization"
        - "traefik.http.middlewares.nexus-forward-auth.forwardauth.trustForwardHeader=true"

    networks:
      - traefik_proxy

  forward-auth:
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    environment:
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_ISSUER}
      - OAUTH2_PROXY_CLIENT_ID=${OIDC_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${OIDC_COOKIE_SECRET}
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_UPSTREAM=static://202
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true
      - LOG_LEVEL=debug

    networks:
      - traefik_proxy

    deploy:
      labels:
        - "traefik.enable=true"
 
        - "traefik.http.routers.nexus-forward-auth.rule=Host(`${NEXUS_HOSTNAME}`) && PathPrefix(`/oauth2`)"
        - "traefik.http.routers.nexus-forward-auth.entrypoints=websecure"
        - "traefik.http.routers.nexus-forward-auth.tls=true"
        - "traefik.http.routers.nexus-forward-auth.service=nexus-forward-auth"
        - "traefik.http.routers.nexus-forward-auth.priority=100"
        - "traefik.http.services.nexus-forward-auth.loadbalancer.server.port=4180"

Any clues please?

Did you try to search for tutorials, like this one?

Hello, yes of course.

However most of them do not cover configuration of the oauth2-proxy, which was the culprit here.

Problem was in a typo in "OAUTH2_PROXY_UPSTREAM". Correct env variable is "OAUTH2_PROXY_UPSTREAMS" (ref: Overview | OAuth2 Proxy ). For command line argument, it is "--upstream", for configuration variable, it is "upstreams"

After fixing this typo and changing forwardauth.address to http://forward-auth:4180/, everything started working and I get no more 404s or 401s.

So the problem is solved.

Thanks for reply @bluepuma77 anyway :slight_smile:

Ok. I thought it may be related to the the tutorial chaining two middlewares.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.