Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Support]: nginx + oauth2-proxy, logout configuration #2613

Open
mirawara opened this issue Apr 22, 2024 · 0 comments
Open

[Support]: nginx + oauth2-proxy, logout configuration #2613

mirawara opened this issue Apr 22, 2024 · 0 comments
Labels
configuration help wanted

Comments

@mirawara
Copy link

mirawara commented Apr 22, 2024
edited

OAuth2-Proxy Version

7.6.0

Provider

keycloak-oidc

Current Behaviour of your Problem

Hi,
I followed this guide to add authentication to my services through Keycloak. It works great, except for the logout. I tried to do something like http://service/oauth2/sign_out which should proxy pass to oauth2-proxy but I get the following http error: ERR_TOO_MANY_REDIRECTS.

I tried using both backend URLs that are visible in the file or removing the option, but nothing worked. The ID token is not specified as I could see here.

I have the following error in the oauth2-proxy logs:

[2024/04/22 10:55:41] [oauthproxy.go:758] error getting authenticated session during backend logout: redirect to login page
192.168.0.108 - aeacbfa5-14e1-4a5f-8eea-72245a85c078 - - [2024/04/22 10:55:41] cyberchef.pippo.it GET - "/oauth2/sign_out" HTTP/1.0 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 302 39 0.000

I would like to be logged out from Keycloak and have the session in oauth2-proxy deleted, but I can't figure out how to do it. Any suggestions?

Thanks in advance.

Configuration details or additional information

Environment configuration file:

OAUTH2_PROXY_COOKIE_SECRET=fLIblJsthbMhgELnmpqrCbWQD9P1vyDfI5SAs8BUG6c=
OAUTH2_PROXY_CLIENT_ID=oauth2-proxy
OAUTH2_PROXY_CLIENT_SECRET=secret
OAUTH2_PROXY_PROVIDER=github
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
OAUTH2_PROXY_GITHUB_USER="github_username"
OAUTH2_PROXY_REDIRECT_URL=http://oauth2proxy.pippo.it/oauth2/callback
#OAUTH2_PROXY_BACKEND_LOGOUT_URL="http://cyberchef.pippo.it"
OAUTH2_PROXY_BACKEND_LOGOUT_URL="https://auth.dev.pippo.it/realms/TestRealm/protocol/openid-connect/logout?id_token_hint={id_token}&post_logout_redirect_uri=http://cyberchef.pippo.it"
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
OAUTH2_PROXY_SESSION_STORE_TYPE=cookie
OAUTH2_PROXY_COOKIE_SAMESITE=lax
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
OAUTH2_PROXY_COOKIE_CSRF_EXPIRE=5m
OAUTH2_PROXY_SESSION_COOKIE_MINIMAL=true
#OAUTH2_PROXY_SCOPE=openid email user
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
OAUTH2_PROXY_PASS_USER_HEADERS=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.dev.pippo.it/realms/TestRealm
OAUTH2_PROXY_PROVIDER=keycloak-oidc
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Keycloak
OAUTH2_PROXY_COOKIE_SECURE=false
#OAUTH2_PROXY_EXTRA_JWT_ISSUERS=https://auth.dev.pippo.it/realms/TestRealm/.well-known/openid-configuration
OAUTH2_PROXY_WHITELIST_DOMAINS=*.pippo.it
OAUTH2_PROXY_COOKIE_DOMAINS=pippo.it
OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true

Steps To Reproduce

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
configuration help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mirawara