oauth2-proxy and subdomains - unable to obtain CSRF cookie

645 views Asked by At

I setup my Istio externalProvider with oauth2-proxy on oauth2.example.com domain and all appse on this domain are working eg app1.example.com, app2.example.com etc

On same cluster i have other environments which are using same istio extensionProvider and pointing to same oauth2-proxy. Problem is that on same cluster i have other environments on subdomianins app1.subdomain.example.com, a app1.subdomain2.example.com etc i cofigured my oauth with such settings:

configFile: |-
      provider = "oidc"
      user_id_claim = "sub" #uses the subject as ID instead of the email
      provider_display_name = "ZITADEL"
      code_challenge_method = "S256"
      redirect_url = "https://oauth2.example.com/oauth2/callback" <-- this i was removed but still some issues with CSRF
      oidc_issuer_url = "https://zitadel.exampleother.com"
      whitelist_domains=[
        "*.example.com",
        "*.subdomain1.example.com",
        "*.subdomain2.example.com"
      ]
      upstreams = [
        "static://200"
      ]
      email_domains = [
        "*"
      ]
      pass_access_token = true
      # cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
      cookie_csrf_per_request = true
      cookie_samesite = "none"
      skip_provider_button = true
      cookie_secure = true #localdev only false
      cookie_domains = [
        "example.com",
        "subdomain1.example.com",
        "subdomain2.example.com"
      ]

And problem is when im trying to login to eg app1.subdomain1.example.com after successful authorization i getting on " AuthFailure Invalid authentication via OAuth2: unable to obtain CSRF cookie" what am im missing in my oauth2-proxy configuration?

EDIT:

I removed redirect_url and is better but still not working fully. On each login/site open im getting:

Login Failed: Unable to find a valid CSRF token. Please try again.

But when i click "sign in" site is opening normally. What is strange on private browser its not happening.

0

There are 0 answers