After upgrading the ingress-nginx controller from v1.8.0 to v1.12.1 to adresss CVE-2025-1974, I'm now getting a 401 Unauthorized response from Github external OAuth provider.
Here are my k8s annotations:
ingress_annotations = {
"nginx.ingress.kubernetes.io/auth-url" : "https://${var.oauth_host}/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://${var.oauth_host}/oauth2/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
}
I collected some logs from the oauth k8s pod before and after the upgrade:
127.0.0.1:49656 - 484ae136891d5dd0b323e2522220dd42 - - [2025/03/21 18:15:04] <host_url> GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" 401 13 0.000
127.0.0.1:49664 - 57bc561ce348991c960620b600e0e544 - - [2025/03/21 18:15:04] <host_url> GET - "/oauth2/start?rd=https%3A%2F%2F.<host_url>%2Ffavicon.ico" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" 302 390 0.000
after the upgrade:
127.0.0.1:45056 - 737ce55fc513e6302d076cf324122acc - - [2025/03/27 11:25:32] <host_url> GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" 401 13 0.000
127.0.0.1:45062 - 179f78cda2a2ff0a703298993aa0affe - - [2025/03/27 11:25:32] <host_url> GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" 401 13 0.000
After the upgrade, it looks like the redirect to /oauth2/start isn’t happening anymore.
Do I need to provide something new on the oauth2-proxy side? I'm using oauth2-proxy version 6.18.0.
After multiple tries with different annotations it worked just by simply replacing
"nginx.ingress.kubernetes.io/auth-signin" : "https://${var.oauth_host}/oauth2/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
by this
"nginx.ingress.kubernetes.io/auth-signin" : "https://${var.oauth_host}/oauth2/start?rd=$escaped_request_uri"