oauth2 proxy with Ingress nginx not passing X-Auth-Request headers during standard auth flow

Question

I'm facing an issue with oauth2 proxy and Ingress Nginx (with the latest versions) in a Kubernetes cluster where the X-Auth-Request headers are not being passed through to the client during the standard oauth authentication flow. I'm specifically using Azure as the auth provider.

Here's the relevant portion of my oauth Proxy configuration:

pass_access_token = true
pass_authorization_header = true
pass_user_headers = true
set_xauthrequest = true

When I explicitly call /oauth2/auth, I get the headers as expected. However, during the standard OAuth2 auth flow, none of the headers are returned with any request.

This situation is somewhat similar to another question here: Oauth2-Proxy do not pass X-Auth-Request-Groups header, but in my case, I'm not receiving any of the X-Auth-Request headers, except when I call /oauth2/auth directly.

I've also tried adding the following snippet to my application Ingress configuration with no luck:

nginx.ingress.kubernetes.io/configuration-snippet: |
    auth_request_set $email $upstream_http_x_auth_request_email;
    access_by_lua_block {
      if ngx.var.email ~= "" then
        ngx.req.set_header("X-Auth-Request-Email", ngx.var.email)
      end
    }

I've gone through multiple configurations, read numerous blog posts, and scoured GitHub issues, but haven't been able to resolve this issue. Does anyone have any insights into what could be causing this behavior?

Answer 1

You do have a Kubernetes Ingress resource that manages external access to the services in your cluster. That is typically defined in a YAML file and applied to your Kubernetes cluster using kubectl apply -f <filename.yaml>.

Something like (mentioned for other readers):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    # annotations go here
spec:
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 80

In the annotations section, you can specify various settings that the Nginx Ingress Controller should apply. I would suggest, from the kubernetes/ingress-nginx annotations External Authentication:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-groups, x-auth-request-email"
spec:
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - backend:
          service:
            name: my-service
            port:
              number: 80

(And kubectl apply -f <your-ingress-config>.yaml)

That would explicitly tell the Ingress to pick these headers from the authentication response and pass them to the upstream application.

Doing this updates the Ingress resource in your Kubernetes cluster and subsequently should update the Nginx Ingress Controller's configuration. After applying, give it some time to propagate, and then you can check if the X-Auth-Request headers are being passed as you expect.

If not, and if nothing is obvious in kubectl logs <nginx-ingress-pod> output, check the OAuth2 Proxy logs (kubectl logs <oauth2-proxy-pod>) to see if the headers are generated as expected (because if there are not... no amount of Lua script would change the end result).