I setup my Istio externalProvider with oauth2-proxy on oauth2.example.com
domain and all appse on this domain are working eg app1.example.com
, app2.example.com
etc
On same cluster i have other environments which are using same istio extensionProvider and pointing to same oauth2-proxy. Problem is that on same cluster i have other environments on subdomianins app1.subdomain.example.com
, a app1.subdomain2.example.com
etc i cofigured my oauth with such settings:
configFile: |-
provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
code_challenge_method = "S256"
redirect_url = "https://oauth2.example.com/oauth2/callback" <-- this i was removed but still some issues with CSRF
oidc_issuer_url = "https://zitadel.exampleother.com"
whitelist_domains=[
"*.example.com",
"*.subdomain1.example.com",
"*.subdomain2.example.com"
]
upstreams = [
"static://200"
]
email_domains = [
"*"
]
pass_access_token = true
# cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
cookie_csrf_per_request = true
cookie_samesite = "none"
skip_provider_button = true
cookie_secure = true #localdev only false
cookie_domains = [
"example.com",
"subdomain1.example.com",
"subdomain2.example.com"
]
And problem is when im trying to login to eg app1.subdomain1.example.com
after successful authorization i getting on " AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie" what am im missing in my oauth2-proxy configuration?
EDIT:
I removed redirect_url and is better but still not working fully. On each login/site open im getting:
Login Failed: Unable to find a valid CSRF token. Please try again.
But when i click "sign in" site is opening normally. What is strange on private browser its not happening.