我正在使用 Azure B2C 对我的用户进行身份验证。对于身份验证部分,我在 kubernetes 集群中运行了 oauth2-proxy。Oauth2-Proxy 在 ingress-nginx 后面运行,它传递了大部分必需的标头,但我没有在 oauth2-proxy 后面的上游服务中获得 X-Auth-Request-Groups 标头。
这是我从 B2C 获得的令牌:
{
"typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
"exp": 1604420825,
"nbf": 1604417225,
"ver": "1.0",
"iss": "iss_value",
"sub": "sub_value",
"aud": "aud_value",
"acr": "acr_name",
"nonce": "defaultNonce",
"iat": 1604417225,
"auth_time": 1604417225,
"groups": [
"group1"
],
"identityProviders": [
"email.com"
],
"firstname": "First Name",
"surname": "Last Name",
"idp": "IDP_VALUE",
"email": "username@email.com",
"preferred_username": "User Name"
}.[Signature]
以下是成功认证后我在上游服务中获得的标头:
{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "username@email.com",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}
所有 X-Auth-Request-* 标头都将出现,但不是带有组的标头。我正在使用 docker image quay.io/oauth2-proxy/oauth2-proxy:v6.1.1我在配置中看到https://oauth2-proxy.github.io/oauth2-proxy/configuration选项“--oidc-groups -claim”,但是当我尝试使用它时,容器将无法启动,因为此选项在此版本中不可用。
有什么我想念的想法吗?