I have the following use case:
An http backend application running behind an oauth proxy
An OAuth proxy that authenticates users before authorizing access to the backend application
In some cases the application behind the proxy has another authorization method that also needs to be verified.
Accessing through a browser seems to work fine as soon as I'm logged in into the oauth proxy... however, using CLI (i.e: curl) it doesn't work because I need somehow to pass 2 different authorization headers
After some reading I thought about sending 2 headers:
Proxy-Authorization
Authorization
The proxy-authorization needs to be sent to the oauth proxy, and the authorization is sent to the application.
For that I would add an auth-snippet setting the Authorization for the auth-url authentication and set the Authorization with the value of Proxy-Authorization
Something like that:
nginx.ingress.kubernetes.io/auth-signin: https://oauth.mydomain.net/oauth2/start?rd=https://myapplication.mydomain.net
nginx.ingress.kubernetes.io/auth-url: https://oauth.mydomain.net/oauth2/auth
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header Authorization $http_proxy_authorization;
And then set the Authorization to the Authorization header on the configuration-snippet
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Authorization "$http_authorization";
Well, it doesn't work, I'm still redirected to the oauth page to login with a 302
I also tried using $proxy_authorization instead of $http_proxy_authorization and tried setting proxy_pass_request_headers on.
Any clue on what I can do to achieve that?
This can be achieved using cookies instead of a dual header:
curl -v -H "Authorization: FOOBAR" -b "_oauth2_proxy=<MYCOOKIE>" https://myapplication.mydomain.net/
Related
I'm using istio as proxy in front of keycloak. I'm offloading TLS at NLB, and am serving Keycloak using http port.
I can correctly reach the first keycloak page, but when I click Administration Console, I get the result below.
I'm blocked at keycloak.js?version=4hm2q, and I see that Request URL is http://mykeycloak-address/auth/js/keycloak.js?version=4hm2q, and Referrer Policy is no-referrer. Request Headers show that Referer header is empty.
I have PROXY_ADDRESS_FORWARDING set as "true". I tried both http to https redirect and none redirection. When I set https redirect false, I get https required error.
Any help? Thanks.
I am trying to use Keycloak behind an API gateway (Apache APISIX).
I use minikube to run Keycloak and my API gateway.
The gateway is working right and Keycloak too :
With Keycloak, I can use the different end-point (use the discovery end-point (http://127.0.0.1:7070/auth/realms/myrealm/.well-known/uma2-configuration), ask an access token and verify it).
With APISIX, and a simple route, I can join a backend microservice on my minikube.
(typically : http://127.0.0.1:80/greeting is served by the gateway which routes the request to the right backend microservice)
The problem occurs when I try to use the two tools together. I have used the Keycloak integration, in order to force the user to use a valid token when he is using a route served by the gateway.
In this case, when I use a valid bearer token (I get it and verify it with the end-point of keycloak), and I try to request the backend via the api gateway with the verified bearer token, I obtain systematically an "Invalid bearer token" exception.
{"error":"invalid_grant","error_description":"Invalid bearer token"}
I think the settings of the integration is well set because I am sure that te gateway call Keycloak to verify the token.
Here are the keycloak I have used to get and verify the token :
Get token : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token
Verify : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect
I have seen some posts about problem when Keycloak is behind a reverse proxy, but I don't find a clear solution to my case.
Thanks for any help you can bring to me.
Regards
CG
I think there are those ways you can do it.
First, I think you can check the log of Apache APISIX.
Second, you can check the log of Keycloak.
Third, you can use tcpdump or wireshark to capture the request that Apache APISIX sends to keycloak.And diff the request that sends by APISIX and curl.
Looking forward to your reply.
I'm trying to download the bits of a Cloud Foundry app using the Cloud Foundry API.
https://apidocs.cloudfoundry.org/236/apps/downloads_the_bits_for_an_app.html
When using a remote blobstore, such as AWS, the response is a redirect to the actual location of the bits. If the client is automatically following redirects, then the OAuth token that was used to communicate with Cloud Controller will be replayed on the new redirect request. Some blobstores may reject the request in that case. Clients may need to follow the redirect without including the OAuth token.
Here is my cURL command I'm attempting to use:
$ curl -L "https://api.my.host.net/v2/apps/my_app_guid/download" -X GET -H "Authorization: bearer myauthtoken"
curl: (7) Failed to connect to dal05.objectstorage.service.networklayer.com port 443: Operation timed out
I'm assuming my issue is that my Auth header bearer token is being sent on the redirect based on the quote from the Cloud Foundry API docs. How can I follow the redirect without the OAuth token? I'm using the default cURL command line utility on Mac OS X 10.11.
While #DanielStenberg's comment appears to be correct that the header wasn't my issue, I'll go ahead and provide an answer to my original question.
It appears the only way to follow the redirect without headers would be to NOT immediately follow the redirect, but print the response headers with the curl -D - command option. Once you get the 301/302 response from the original request, check the location header value that came in the response headers, then execute another curl to that location.
I saw the word "endpoint" many times in OAuth documents.. However, I still don't know what does this word really mean.. Does anyone have ideas about this?
The OAuth 2.0 Authorization Framework
The authorization process utilizes two authorization server endpoints
(HTTP resources):
Authorization endpoint - used by the client to obtain
authorization from the resource owner via user-agent redirection.
Token endpoint - used by the client to exchange an
authorization
grant for an access token, typically with client authentication.
Its basically the HTTP web address of the authentication server. It could probably be server addresses depending upon how its worked. The first is for requesting access of the user the second could be for granting access to the application. this probably depends upon how the Authentication server is set up.
OAuth endpoints are the URLs you use to make OAuth authentication requests to Server. You need to use the correct OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints depend upon the system you are trying to access.
Example Google has two end points:
Request access of user:
https://accounts.google.com/o/oauth2
Exchange tokens
https://accounts.google.com/o/oauth2/token
How do I send credentials using Fiddler in a POST request (or any Http Method)? I don't see anything in the Composer tab.
That entirely depends on what sort of credentials your server uses. If it's using HTTP authentication, the headers go in an Authorization header. If your server uses cookies, the creds go in the Cookie request header. If your server uses HTTPS client certificates, the credential is attached to the TLS connection itself and does not appear anywhere in the HTTP request.
If you are simply trying to authenticate to a service that uses HTTP authentication with your current Windows credentials, tick the Automatically Authenticate box on the Composer's Options subtab.