Unauthorized error with oauth2-proxy´s allow-group flag

Asked Aug 15 '22 at 15:38

Active Aug 15 '22 at 15:59

Viewed 867 times

I am using oauth2 to handle the authentication/authorization via a company´s SSO provider of a web app running in k8. The authentication works like a charm, however, once enable authorization for a specific group ( here: "ADMIN"), I always get a 403 - Forbidden "Invalid session: unauthorized" error.

Version: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0

SSO Provider: oidc

My setup:

extraArgs:
  show-debug-on-error: True
  oidc-groups-claim: "ent_group"
  allowed-group: ["ADMIN"]
  oidc-email-claim: "email"
  scope: "openid ent_group"
  whitelist-domain: ...
  cookie-domain: ...

It matches the response from the SSO provider when tested with Postman:

{
    "email": "user@mail.com",
    "entitlement_group": [
        "ADMIN",
        "USER"
    ],
    "app_id": "app"
}

What do I do wrong?

edited Aug 15 '22 at 15:59

asked Aug 15 '22 at 15:38

Bennimi

Hm, shouldn't `ent_group` and `entitlement_group` actually match verbatim? – Andrei Sinitson Apr 10 '23 at 17:11
Bennimi are you able to resolve it? – ImranRazaKhan Jun 27 '23 at 10:02
yes, I used the ini file instead of the args.. and it works. Cba to figure what the problem was in the end. – Bennimi Jun 28 '23 at 20:49

Unauthorized error with oauth2-proxy´s allow-group flag

0 Answers0