[SOLVED] Analyzing oAuth2 client credential flow with oAuth2-proxy, Keycloak / oAuth2-proxy logging

Analyzing oAuth2 client credential flow with oAuth2-proxy, Keycloak / oAuth2-proxy logging

My application running on Kubernetes (AKS) has a working standard oAuth2 authentication flow, which I added using oAuth2-proxy and Keycloak. The password Credentials grant type / standard flow via the Browser is working fine. After the redirect to the KC login page and manual login, the oAuth2-proxy lets the user pass and and application page (echo server) is shown.

Now I am trying to use Grant type client credentials, e.g from Postman or Curl. I have enabled 'Service Accounts Enabled'. I can retrieve the access_token / bearer token without issues and am including it in the header "Authorization'. I can see that the token is valid and other contents also looks correct, but the request does not pass. The oauth2-proxy redirects the request to the login page.

oAuth2-proxy parameters:

  - --provider=keycloak-oidc
  - --client-id=nginx
  - --client-secret=topsecret
  - --redirect-url=https://my-redirect-url
  - --oidc-issuer-url=https://myurl
  - --silence-ping-logging
  - --auth-logging=true
  - --session-store-type=redis
  - --set-xauthrequest=true
  - --set-authorization-header=true
  - --pass-authorization-header=true
  - --pass-access-token=true
  - --insecure-oidc-allow-unverified-email
  - --show-debug-on-error
  - --errors-to-info-log
  - --cookie-secret=gf...
  - --cookie-httponly=false
  - --force-json-errors

I am not sure if need to include this script in the Ingress or not:

# nginx.ingress.kubernetes.io/configuration-snippet: |
#   auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;

#   access_by_lua_block {
#     if ngx.var.name_upstream_1 ~= "" then
#       ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
#     end
#   }

Candidate root causes:

the token does not contain what is checked (KC config...)
the token is not included in the request in the right way
the oAuth2-proxy config is missing something to get the token correctly from the request
oAuth2-proxy cannot validate the token against Keycloak

I can access the Keycloak, Nginx and oauth2-proxy logs. So far the oauth2-proxy logs helped to solve earlier issues, but the whole time I am missing a better way to analyze what is going on. I wish there was a trace log level on oAuth2-proxy which I can enable via an env var using my Helm values file, but the available options in the doc did not seem suitable.

What am I missing? How can I analyze this issue better? Or already any suggestions about the root cause / fix?

Solution

You need to enable resource server mode (--skip-jwt-bearer-tokens = true flag).