You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are trying to authenticate against Azure, but the only way to get this far is to use the OIDC provider vs the Azure provider. When using the Azure provider, we are being locked into using the V1 token URLs even though the Manifest if configured to accept V2. We are unsure what to check at this point that would point at what is going wrong. This is the exact wording of the error received:
oauth2-proxy-1 | [2024/05/14 17:05:09] [oauthproxy.go:881] Error redeeming code during OAuth2 callback: could not verify id_token: failedto verify token: failed to verify signature: failed to verify id token signature
On a side note, when using the Azure provider, we can swap it to the V1 endpoints, it still fails to verify the id token signature, but also produces a new error:
oauth2-proxy-1 | [2024/05/14 17:08:32] [oauthproxy.go:881] Error redeeming code during OAuth2 callback: unable to get email and/or groupsclaims from token: unable to verify token: unable to verify access token: failed to verify token: oidc: malformed jwt: oidc: malformed jwt, expected 3 parts got 1
Any assistance in what we can check or configuration changes we can try would be appreciated.
Configuration details or additional information
the OAUTH2 Proxy is running in a docker container using the following config:
OIDC Provider Config:
services:
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
environment:
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4567
OAUTH2_PROXY_UPSTREAMS: http://localhost:4000/
OAUTH2_PROXY_PROVIDER: oidc
OAUTH2_PROXY_CLIENT_ID: (App. (client) ID from Azure Portal)
OAUTH2_PROXY_CLIENT_SECRET: (Secret created and associated with this App)
OAUTH2_PROXY_AZURE_TENANT: (Azure Tenant ID)
OAUTH2_PROXY_SKIP_OIDC_DISCOVERY: true
OAUTH2_PROXY_OIDC_ISSUER_URL: https://login.microsoftonline.com/(Azure Tenant ID)/v2.0
OAUTH2_PROXY_LOGIN_URL: https://login.microsoftonline.com/(Azure Tenant ID)/oauth2/v2.0/authorize
OAUTH2_PROXY_REDEEM_URL: https://login.microsoftonline.com/(Azure Tenant ID)/oauth2/v2.0/token
OAUTH2_PROXY_OIDC_JWKS_URL: https://login.microsoftonline.com/(Azure Tenant ID)/discovery/v2.0/keys
OAUTH2_PROXY_REDIRECT_URL: https://(URL of our app)/oauth2/callback
# (I've tried various things to get this to work)
# OAUTH2_PROXY_SKIP_OIDC_DISCOVERY: true
# OAUTH2_PROXY_USER_ID_CLAIM: email
# OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub
# OAUTH2_PROXY_OIDC_AUDIENCE_CLAIM: aud
# OAUTH2_PROXY_SCOPE: openid
# OAUTH2_PROXY_PASS_ACCESS_TOKEN: true
# OAUTH2_PROXY_PASS_USER_HEADERS: true
# OAUTH2_PROXY_SET_XAUTHREQUEST: true
OAUTH2_PROXY_EMAIL_DOMAINS: (our TLD)
OAUTH2_PROXY_COOKIE_SECRET: ef0dadb7b7fae08e6ba778b267aa7b9c
OAUTH2_PROXY_STANDARD_LOGGING: true
OAUTH2_PROXY_AUTH_LOGGING: true
OAUTH2_PROXY_REQUEST_LOGGING: true
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: true
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true
# OAUTH2_PROXY_SCOPE: https://(URL of our app)/users.email
# OAUTH2_PROXY_COOKIE_SECURE: true
# OAUTH2_PROXY_OIDC_GROUPS_CLAIM: roles
restart: always
ports:
- 4567:4567/tcp
Azure Provider Config:
services:
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
environment:
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4567
OAUTH2_PROXY_UPSTREAMS: http://localhost:4000/
OAUTH2_PROXY_PROVIDER: azure
OAUTH2_PROXY_CLIENT_ID: (App. (client) ID from Azure Portal)
OAUTH2_PROXY_CLIENT_SECRET: (Secret created and associated with this App)
OAUTH2_PROXY_AZURE_TENANT: (Azure Tenant ID)
OAUTH2_PROXY_OIDC_ISSUER_URL: https://sts.windows.net/(Azure Tenant ID)/
OAUTH2_PROXY_EMAIL_DOMAINS: (TLD of our company)
OAUTH2_PROXY_REDIRECT_URL: https://(URL of our App)/oauth2/callback
OAUTH2_PROXY_COOKIE_SECRET: ef0dadb7b7fae08e6ba778b267aa7b9c
OAUTH2_PROXY_COOKIE_SECURE: true
OAUTH2_PROXY_OIDC_JWKS_URL: https://login.microsoftonline.com/(Azure Tenant ID)/discovery/v2.0/keys
restart: always
ports:
- 4567:4567/tcp
Steps To Reproduce
No response
The text was updated successfully, but these errors were encountered:
OAuth2-Proxy Version
7.6.0
Provider
oidc
Current Behaviour of your Problem
We are trying to authenticate against Azure, but the only way to get this far is to use the OIDC provider vs the Azure provider. When using the Azure provider, we are being locked into using the V1 token URLs even though the Manifest if configured to accept V2. We are unsure what to check at this point that would point at what is going wrong. This is the exact wording of the error received:
oauth2-proxy-1 | [2024/05/14 17:05:09] [oauthproxy.go:881] Error redeeming code during OAuth2 callback: could not verify id_token: failedto verify token: failed to verify signature: failed to verify id token signature
On a side note, when using the Azure provider, we can swap it to the V1 endpoints, it still fails to verify the id token signature, but also produces a new error:
oauth2-proxy-1 | [2024/05/14 17:08:32] [oauthproxy.go:881] Error redeeming code during OAuth2 callback: unable to get email and/or groupsclaims from token: unable to verify token: unable to verify access token: failed to verify token: oidc: malformed jwt: oidc: malformed jwt, expected 3 parts got 1
Any assistance in what we can check or configuration changes we can try would be appreciated.
Configuration details or additional information
the OAUTH2 Proxy is running in a docker container using the following config:
OIDC Provider Config:
Azure Provider Config:
Steps To Reproduce
No response
The text was updated successfully, but these errors were encountered: