oauth-2.0azure-active-directorykubernetes-helmopenid-connectoauth2-proxy

oauth2-proxy helm kubernetes: ERROR: Failed to initialise OAuth2 Proxy: invalid provider verifier options: missing required setting: issuer-url

I had oauth2-proxy running on my Kubernetes cluster which I deployed using Helm via ArtifactHUB > Helm > OAuth2 Proxy chart. I just upgraded oauth2-proxy from v7.1.3 to v7.4.0 with its chart from 4.2.2 to 6.16.1 and started seeing the following error:

[main.go:60] ERROR: Failed to initialise OAuth2 Proxy: error intiailising provider: could not create provider data: error building OIDC ProviderVerifier: invalid provider verifier options: missing required setting: issuer-url

What is the issue. How to fix it?

This error is coming on oauth2-proxy v7.4.0 using default values when configured with Azure AD. It should work without any errors as the desired behavior.

Solution

  • I referred to OAuth2 Proxy > Docs > Azure Auth Provider from documentation to make it work by adding azure_tenant and oidc_issuer_url under config in the default values file as follows:

    Before:

    # Oauth client configuration specifics
config:
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
    http_address = "0.0.0.0:4180"
    provider = "azure"

    After:

    # Oauth client configuration specifics
config:
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
    http_address = "0.0.0.0:4180"
    provider = "azure"
    azure_tenant = "${azure_tenant_id}"
    oidc_issuer_url = "https://sts.windows.net/${azure_tenant_id}/"

    If it still fails after this change with the following error:

    Error redeeming code during OAuth2 callback: unable to get email and/or groups claims from token: unable to get claims from token: could not initialise claim extractor: failed to parse ID Token: oidc: malformed jwt, expected 3 parts got 1

    then set the oidc_issuer_url under config in the default values file to V2 Azure Auth endpoint instead as follows:

    oidc_issuer_url = "https://login.microsoftonline.com/${azure_tenant_id}/v2.0"

    NOTE: When using the Azure Auth provider with nginx and the cookie session store, you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the Redis session storage should resolve this.

    NOTE: ${azure_tenant_id} will be replaced with the actual Azure App Tenant ID which you can find here: Azure Active Directory (AD) > App registrations > All applications > [APP NAME] > Overview > Essentials > Directory (tenant) ID where [APP NAME] is the name of the registered app for oauth2-proxy.