Not able to authenticate Dashboard with oauth and Google

Hello,

I have configured the oauth-proxy component with the Google provider to protect certain applications in my cluster and that they are only accessible if we use this authentication system, among them, the Kubernetes Dashboard.

With oauth-proxy configured, I have created a manifest to create an Ingress resource where the authentication path is declared which is also protected with SSL through Cert Manager.

Also, I created the Ingress resource to expose the Dashboard application under an SSL protected domain.

When I access that Dashboard domain, the Google authentication flow starts, and everything seems to work fine until I am redirected back to the Dashboard after authenticating. At that point, I get the Dashboard login where it asks me to add an access token.

So, I suspect that somewhere along the way I am leaving some settings out, as Dashboard is not able to recognize that I have authenticated.

I need help, thanks!

Configuration details

When I install oauth-proxy, I install it via helm:

helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm install oauth2-proxy oauth2-proxy/oauth2-proxy \
  --namespace infrastructure \
  --values ./k8s/infrastructure/oauth2-proxy/installation.yml

With these values in the installation.yml:

config:
  clientID: "<GOOGLE_CLIENT_ID>"
  clientSecret: "<GOOGLE_CLIENT_SECRET>"
  provider: "google"
  redirectURL: "<REDIRECT_URL>"
  cookieSecret: "<COOKIE_SECRET>"
extraArgs:
  - --whitelist-domain=app1.example.com
  - --whitelist-domain=dashboard.example.com
  - --whitelist-domain=authentication.example.com
  - --cookie-domain=.example.com
  - --set-authorization-header
  - --pass-authorization-header
  - --pass-user-headers
  - --pass-access-token
  - --set-xauthrequest
service:
  portNumber: 4180

This is the ingress resource I apply to expose the authentication urls:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy-ingress
  namespace: infrastructure
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    cert-manager.io/issuer: "letsencrypt-issuer"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - authentication.example.com
      secretName: oauth2-proxy-tls-certificate
  rules:
    - host: authentication.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180

Finally, this is the ingress resource that exposes the Dashboard application:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: administration
  annotations:
    cert-manager.io/issuer: "letsencrypt-issuer"
    nginx.ingress.kubernetes.io/rewrite-target: /
    #nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/auth-url: "https://authentication.example.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://authentication.example.com/oauth2/start?rd=$scheme://$host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user,x-auth-request-email,authorization"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - dashboard.example.com
      secretName: dashboard-tls-certificate
  rules:
    - host: dashboard.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard-kong-proxy
                port:
                  number: 443

Hi mcfdez,

I ran this scenario in production a few years ago using the setup from this link, and it worked well.
Take a look at it – you might find the answer to your question there.

https://geek-cookbook.funkypenguin.co.nz/recipes/kubernetes/oauth2-proxy/

Hi @jamallmahmoudi

Thank you for your input. Aperently I have everything configured correctly, but it’s as if the authentication token that Google sends me after authenticating, gets lost on the way between oauth->ingress->dashboard. Another option could be that in Dashboard I had to configure something additional, but I find it suspicious that when I am returned to my Dashboard public url by the proxy, from the DevTools I don’t see any header. That makes me suspicious.