Hi,
Is there any way to get the "provider user access token" so I can reuse it elsewhere in my services?
I'm interested in my backend retrieving more information about the logged user, but while taking a look at oauth2_proxy code it seems the cookie is an encrypted value. So from the backend side even by reading the cookie I'm unable to determine the provider access token.
Thank you,
EDIT: I was looking for it for a moment (including looking in old bitly issues)... but but but... it seems I missed:
I'm not sure it will solve my problem since I don't know yet if -pass-authorization-header that has this description pass OIDC IDToken to upstream via Authorization Bearer header also work for selected provider like Google/GitHub... I will give a try tomorrow 馃槂
I clearly don't know what I'm doing wrong 馃槥... Using oauth2_proxy for a while but first time trying to do this.
To sum up, I have those settings:
- --provider=google
- --email-domain=XXXXXXXXXXXXX
- --skip-provider-button=true
- --skip-auth-preflight=true
- --request-logging=true
- --google-admin-email=XXXXXXXX
- --google-group=XXXXXXXXXX
- --google-service-account-json=XXXXXXXXX
- --whitelist-domain=XXXXXXXX
- --cookie-domain=XXXXXXXXX
- --cookie-expire=24h
- --cookie-refresh=1h
- --pass-authorization-header=true
- --pass-host-header=true
- --pass-access-token=true
- --set-xauthrequest=true
- --set-authorization-header=true
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
(as you can see I try to set/pass all available headers for debugging purpose)
1) So if my browser is clear, if I go to mydomain.com/home I will go through Google login and then access successfully to my content... But the microservice I'm reaching never get any header with some OAuth2 id_token or anything else. And I'm also not able to see any x-auth-request-email header in the response.
2) On the other hand if I go on mydomain.com/oauth2/auth I see a white page, it seems normal since this URL should return either 200 or 401 depending on my authentication validity, but if I take a look at my response headers I see x-auth-request-email.
So, in the second case, by reaching directly the oauth2-proxy pod headers are added. But when reaching my true microservice, it seems Nginx just asks oauth2-proxy if my user is valid, but without any header manipulation (I want the opposite... 馃樋).
Can someone understand my problem ^^ ?
Thank you,
Just thinking about something, I'm using the same base domain for both my microservice and the OAuth2Proxy.
Ingress1 for microservice catches: aaa.domain.com/*
Ingress2 for OAuth2Proxy catches: aaa.domain.com/oauth2/*
So in the Ingress1 I also have these annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
I'm wondering if it can be the origin of the issue hmmmm (need to make some tests). Is it something possible or an error?
EDIT:
I changed to use bbb.domain.comas authentication URL, so now I have:
Ingress1 for microservice catches: aaa.domain.com/*
Ingress2 for OAuth2Proxy catches: bbb.domain.com/*
So in the Ingress1 I also have these annotations:
nginx.ingress.kubernetes.io/auth-signin: "https://bbb.domain.com/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-url: "https://bbb.domain.com/oauth2/auth"
But that's still not working...
I made this working:
1) Use OAuth2Proxy just to check authentication (not to proxyfy all requests with the upstream parameter)
2) Need to set the access token in Oauth2Proxy responses with set-authorization-header=true, like that when Nginx checks the authentication this latter is able to access the access token value
3) Tell Nginx Ingress to forward a specific authentication response header Authorization with: nginx.ingress.kubernetes.io/auth-response-headers: Authorization
4) Now all authenticated requests will reach my backend services with the access token in the request
I hope it will help someone. A lot of possibilities like decrypting the cookie on the backend, using OAuth2Proxy as full proxy while using pass-authorization-header... but I tried with this solution to avoid some overhead.
Most helpful comment
I made this working:
1) Use OAuth2Proxy just to check authentication (not to proxyfy all requests with the
upstreamparameter)2) Need to set the access token in Oauth2Proxy responses with
set-authorization-header=true, like that when Nginx checks the authentication this latter is able to access the access token value3) Tell Nginx Ingress to forward a specific authentication response header
Authorizationwith:nginx.ingress.kubernetes.io/auth-response-headers: Authorization4) Now all authenticated requests will reach my backend services with the access token in the request
I hope it will help someone. A lot of possibilities like decrypting the cookie on the backend, using OAuth2Proxy as full proxy while using
pass-authorization-header... but I tried with this solution to avoid some overhead.