Reputation: 671
Oauth2-Proxy do not pass X-Auth-Request-Groups header
I'm using Azure B2C for authenticate my users. For authentication piece I have oauth2-proxy running in kubernetes cluster. Oauth2-Proxy is running behind ingress-nginx and it's passing most of required headers but I do not get X-Auth-Request-Groups header in my upstream service that is behind oauth2-proxy.
Here is my token that I get from B2C:
{
"typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
"exp": 1604420825,
"nbf": 1604417225,
"ver": "1.0",
"iss": "iss_value",
"sub": "sub_value",
"aud": "aud_value",
"acr": "acr_name",
"nonce": "defaultNonce",
"iat": 1604417225,
"auth_time": 1604417225,
"groups": [
"group1"
],
"identityProviders": [
"email.com"
],
"firstname": "First Name",
"surname": "Last Name",
"idp": "IDP_VALUE",
"email": "[email protected]",
"preferred_username": "User Name"
}.[Signature]
And here are headers that I get in my upstream service after successful authentication:
{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "[email protected]",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}
all X-Auth-Request-* headers are coming but not the one with Groups. I'm using docker image quay.io/oauth2-proxy/oauth2-proxy:v6.1.1 and I saw in config https://oauth2-proxy.github.io/oauth2-proxy/configuration option "--oidc-groups-claim" but when I try to use it container won't start because this option isn't available in this version.
Any ideas what I'm missing?
Upvotes: 2
Views: 4819
Answers (1)
Reputation: 671
It seems that the problem is image that I'm using quay.io/oauth2-proxy/oauth2-proxy:v6.1.1, when I built own image from latest master (3rd of November 2020) everything seems to be working fine and X-Auth-Request-Groups header is passed to upstream service.
Upvotes: 2
Related Questions
- Setting headers with NGINX auth_request and oauth2_proxy
- OAuth2-proxy test flow
- How to authenticate against AAD (Azure Active Directory) with oauth2_proxy and obtain Access Token
- Unable to load kubernetes dashboard after successful oauth2
- MS Azure OAuth2 proxy - Token based authentication not oauth_proxy cookie
- Azure AD Authentication in Kubernetes Unable to unprotect the message.State
- can I use nginx ingress controller oauth2_proxy in kubernetes with azure active directory without cookies
- OAuth2 with Azure AD - Not getting user consent
- Azure AD Oauth2 gives error after authorization request
- Azure Active Directory OAuth 2.0 Authorization gives Bad Request