我正在使用Azure B2C对我的用户进行身份验证。对于身份验证部分,我在kubernetes集群中运行oauth2代理。Oauth2代理在ingress nginx后面运行,它传递了大多数所需的头,但我在Oauth2代理后面的上游服务中没有得到X-Auth-Request-Groups头。
这是我从B2C获得的代币:
{
"typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
"exp": 1604420825,
"nbf": 1604417225,
"ver": "1.0",
"iss": "iss_value",
"sub": "sub_value",
"aud": "aud_value",
"acr": "acr_name",
"nonce": "defaultNonce",
"iat": 1604417225,
"auth_time": 1604417225,
"groups": [
"group1"
],
"identityProviders": [
"email.com"
],
"firstname": "First Name",
"surname": "Last Name",
"idp": "IDP_VALUE",
"email": "username@email.com",
"preferred_username": "User Name"
}.[Signature]
以下是我在成功身份验证后在上游服务中获得的标题:
{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "username@email.com",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}
所有的X-Auth-Request-*头都来了,但不是带有Groups的头。我使用的是docker imagequay.io/oauth2-proxy/oauth2-proxy:v6.1.1,我在配置中看到了https://oauth2-proxy.github.io/oauth2-proxy/configuration选项"--oidc团体声称";但当我尝试使用它时,容器不会启动,因为此版本中没有此选项。
你知道我错过了什么吗?
问题似乎是我使用的图像quay.io/oauth2-proxy/oauth2-proxy:v6.1.1,当我从最新的master(2020年11月3日(构建自己的图像时,一切似乎都很好,X-Auth-Request-Groups头被传递到上游服务。