oauth2-proxy returns a white webpage with "Found" link instead of the provider authentication page

Question

I am using oauth2-proxy (v7.2.0) for authentication

NB: i use traefik v2 to redirect the requests to oauth2-proxy which is deployed via helm chart.

below, the options used to configure my oauth2-proxy

extraArgs:
  provider: "gitlab"
  redirect-url: "https://auth.mycompany.com/oauth2/callback"
  oidc-issuer-url: "https://gitlab.mycompany.com"
  provider-display-name: "MyCompany - GitLab"
  cookie-secure: "true"
  email-domain: "*"
  reverse-proxy: "true"
  standard-logging: "true"
  auth-logging: "true"
  request-logging: "true"
  cookie-domain: ".mycompany.com"
  pass-access-token: "true"
  pass-authorization-header: "true"
  whitelist-domain: ".mycompany.com"
  set-authorization-header: "true"
  set-xauthrequest: "true"
  skip-auth-preflight: "false"
  silence-ping-logging: "true"
  skip-provider-button: "true"

Traefik v2 middlewares/ingressroutes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-middleware
spec:
  forwardAuth:
    address: https://auth.mycompany.com/oauth2/auth
    trustForwardHeader: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-headers-middleware
spec:
  headers:
    sslRedirect: true
    stsSeconds: 315360000
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    sslHost: app.mycompany.com
    stsIncludeSubdomains: true
    stsPreload: true
    frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: errors-middleware
spec:
  errors:
    query: /oauth2/sign_in
    service:
      name: oauth2-proxy
      port: 80
    status:
    - 401-403
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingress
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app.mycompany.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: app-service
          port: 80
      middlewares:
        - name: errors-middleware
        - name: auth-middleware

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-oauth-ingress
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app.mycompany.com`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy
          port: 80
      middlewares:
        - name: auth-headers-middleware
  tls:
    secretName: <app-tls-cert>
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: oauth-ingress
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.mycompany.com`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy
          port: 80
      middlewares:
        - name: auth-headers-middleware
  tls:
    secretName: <oauth2-proxy-tls-cert>

---> When the option "skip-provider-button" is set to "false" once i try to access my app using a browser (for example with url app.mycompany.com)

1. oauth2-proxy shows a button to authenticate.
2. once i click on this button, i will be redirected to my gitlab authenticate page, i enter my creds, and i will have access to my app. --this the normal behavior--

--->My problem now is when the same option "skip-provider-button" is set to "true", once i try to access my app using a browser it shows a web page with the word "Found" instead of redirecting me directly to my gitlab authentication web page

(the word "found" is a hyperlink, it functions the same way as the button showed when the option skip-provider-button is set to false)

This problem also prevents me from authenticating when i use curl command (i think, i am not sure), below the command i use:

curl -L --cookie "<oauth2-proxy-name>=<cookie-secret>" -H "Authorization: Bearer <gitlab-account-token>" https://app.mycompany.com

# The command above returns:
<a href="https://gitlab.mycompany.com/oauth/authorize?approval_prompt=force&amp;client_id=<client_id>&amp;nonce=<some_id>&amp;redirect_uri=https%3A%2F%2Fauth.mycompany.com%2Foauth2%2Fcallback&amp;response_type=code&amp;scope=openid+email+profile&amp;state=<some_id>%3Ahttps%3A%2F%2Fapp.mycompany.com%2F">Found</a>.

and in the oauth2-proxy logs i see the following:

auth.mycompany.com GET - "/oauth2/auth" HTTP/1.1 "curl/7.58.0" 401 13 0.000
app.mycompany.com GET - "/oauth2/sign_in" HTTP/1.1 "curl/7.58.0" 302 476 0.000

Any help or ideas will be appreciated !

Answer 1

I got a similar problem and have been using two different workarounds. I am using quay.io/oauth2-proxy/oauth2-proxy:v7.2.1

• Easy one: Use /oauth2/start?rd=<redirecturl> instead of /oauth2/sign_in when wanting to directly start OIDC flow. Leave skip-provider-button: "false". This solution works from a login button for example, but not if you want any unauthorized endpoint to start OIDC flow.
• More work: You can use your own template for sign_in.html with javascript that directly sets window.location = /oauth2/start?rd=<redirecturl> by using custom-template-dir. You can then do whatever you like.

For the second case, you can copy

• sign_in.html
• error.html
• robots.txt

from https://github.com/oauth2-proxy/oauth2-proxy/tree/master/pkg/app/pagewriter. (You need to provide all three to make the templates be used).

sign_in.html is the file you want to edit, for example

...
<script>
   window.location = "/oauth2/start?rd=<redirecturl>";
</script>
...