Nginx ingress controller on K8s is not properly triggering authentication flow via oauth2-proxy for /
path. How can I make it do this?
I have nginx ingress controller (v1.1.3) and oauth2-proxy (latest as of 23/6/2023) in a K8s cluster (1.22) and a web app (Kibana).
The Kibana ingress contains the annotations below.
nginx.ingress.Kubernetes.io/auth-signin: https://<kibana hostname>/oauth2/start?rd=$escaped_request_uri
nginx.ingress.Kubernetes.io/auth-url: https://<kibana hostname>/oauth2/auth
- The deployment of Kibana, its service and the ingress seems to be ok, as I can access it via the browser at
https://<kibana hostname>/
. - oauth2-proxy deployment, service and ingress seem to at least partially work, as the URL
https://<kibana hostname>/oauth2/sign_in
triggers a successful authentication flow with IdP and redirects back tohttps://<kibana hostname>/
.
The thing that doesn't work is that the URL https://<kibana hostname>/
does not trigger the authentication flow, rather it forwards requests to the Kibana backend service.
When requesting the /
path in the browser
- I see setting the message
http2 header: "cookie: _oauth2_proxy=..
. in nginx-controller logs - In the oauth2-proxy pod logs I see messages containing
GET - "/oauth2/auth" HTTP/1.1
- In IdP logs I see a successful authentication
- I do not see "auth" response containing assertion attributes from IdP as when the URL is
/oauth2/auth
What is going wrong that prevents the authentication flow via oauth2-proxy to function?
The issue was caused by an incorrect setting of the Redirect URIs in the IdP, correcting this resolved the issue.