我正在使用 oauth2-proxy (v7.2.0) 进行身份验证
注意:我使用 traefik v2 将请求重定向到通过 helm chart 部署的 oauth2-proxy。
下面,用于配置我的 oauth2-proxy 的选项
extraArgs:
provider: "gitlab"
redirect-url: "https://auth.mycompany.com/oauth2/callback"
oidc-issuer-url: "https://gitlab.mycompany.com"
provider-display-name: "MyCompany - GitLab"
cookie-secure: "true"
email-domain: "*"
reverse-proxy: "true"
standard-logging: "true"
auth-logging: "true"
request-logging: "true"
cookie-domain: ".mycompany.com"
pass-access-token: "true"
pass-authorization-header: "true"
whitelist-domain: ".mycompany.com"
set-authorization-header: "true"
set-xauthrequest: "true"
skip-auth-preflight: "false"
silence-ping-logging: "true"
skip-provider-button: "true"
Traefik v2 中间件/入口路由
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-middleware
spec:
forwardAuth:
address: https://auth.mycompany.com/oauth2/auth
trustForwardHeader: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-headers-middleware
spec:
headers:
sslRedirect: true
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
sslHost: app.mycompany.com
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: errors-middleware
spec:
errors:
query: /oauth2/sign_in
service:
name: oauth2-proxy
port: 80
status:
- 401-403
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`app.mycompany.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: app-service
port: 80
middlewares:
- name: errors-middleware
- name: auth-middleware
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-oauth-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`app.mycompany.com`) && PathPrefix(`/oauth2/`)
kind: Rule
services:
- name: oauth2-proxy
port: 80
middlewares:
- name: auth-headers-middleware
tls:
secretName: <app-tls-cert>
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: oauth-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.mycompany.com`) && PathPrefix(`/oauth2/`)
kind: Rule
services:
- name: oauth2-proxy
port: 80
middlewares:
- name: auth-headers-middleware
tls:
secretName: <oauth2-proxy-tls-cert>
--->当我尝试使用浏览器访问应用程序后,选项“ Skip-Provider- Button ”设置为“ False ”(例如,使用URL App.mycompany.com)
- oauth2-proxy 显示一个用于验证的按钮。
- 单击此按钮后,我将被重定向到我的 gitlab 身份验证页面,我输入我的凭据,我将可以访问我的应用程序。--这是正常行为--
--->我现在的问题是当相同的选项“ skip-provider-button ”设置为“ true ”时,一旦我尝试使用浏览器访问我的应用程序,它会显示一个带有“ Found ”字样的网页,而不是重定向我直接到我的 gitlab 身份验证网页
(单词“found”是一个超链接,它的功能与选项 skip-provider-button 设置为 false 时显示的按钮相同)
当我在我使用的命令下方使用 curl 命令(我想,我不确定)时,这个问题也会阻止我进行身份验证:
curl -L --cookie "<oauth2-proxy-name>=<cookie-secret>" -H "Authorization: Bearer <gitlab-account-token>" https://app.mycompany.com
# The command above returns:
<a href="https://gitlab.mycompany.com/oauth/authorize?approval_prompt=force&client_id=<client_id>&nonce=<some_id>&redirect_uri=https%3A%2F%2Fauth.mycompany.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=<some_id>%3Ahttps%3A%2F%2Fapp.mycompany.com%2F">Found</a>.
在 oauth2-proxy 日志中,我看到以下内容:
auth.mycompany.com GET - "/oauth2/auth" HTTP/1.1 "curl/7.58.0" 401 13 0.000
app.mycompany.com GET - "/oauth2/sign_in" HTTP/1.1 "curl/7.58.0" 302 476 0.000
任何帮助或想法将不胜感激!