oauth2_proxy for basic auth login

Question

I'm trying to setup an OAuth2 authorizatin in front of my ELK installation. I'm using oauth2_proxy. The idea is to use Google as SSO, extract the username from the SSO challenge, set this username as basic auth (with a fixed password) to log into Kibana.

I'm having difficulties to get the username and set it into the basic auth string. It seems that the variable $remote_user is not valued. If I hardcode a valid username:password it logs me in.

This is my configuration so far:

• oauth2_proxy running on port 4180
• nginx listening on 80/443 with a proxy pass to localhost:4180 (oauth2_proxy)
• oauth2_proxy that performs the SSO with localhost:8080 as upstream (nginx)
• nginx listening on 8080 with a proxy pass to localhost:5601 (kibana)

Something like this:

Here the conf file:

oauth2_proxy launch string

oauth2-proxy  
    --email-domain="example.com"  
    --upstream="http://127.0.0.1:8080/"  
    --approval-prompt="auto"  
    --redirect-url="https://example.com/oauth2/callback"  
    --cookie-secret=redacted
    --set-xauthrequest=true 
    --pass-user-headers=true 
    --pass-authorization-header=true

oauth2_proxy.conf

server {
    listen 443 ssl;
    server_name example.com;

    location / {
      proxy_pass http://127.0.0.1:4180;
    }

    [letsencrypt config omitted]
}

kibana.conf

server {
    listen 8080;

    location / {
      proxy_pass http://127.0.0.1:5601;

      set $auth_string  "${remote_user}:<my_strong-password>";
      set_encode_base64 $encoded_string $auth_string;

      proxy_set_header Authorization "Basic $encoded_string";

      #to manage logout redirect
      rewrite /login https://example.com/oauth2/sign_in redirect;
    }
}

My problem is that ${remote_user} is empty, how can I valorize it? I've also tried with $upstream_http_x_auth_request_user and $upstream_http_x_auth_request_email with no luck.

Do you see any obvious errors?

Answer 1

I apologize for the extreme delay; it completely slipped my mind to share the solution.

/etc/openresty/sites-available/oauth2_proxy.conf

server {
    listen 443 ssl;
    server_name <my-elasticstack-url>;

    #kibana
    location / {
      proxy_pass http://127.0.0.1:4180;
    }

    [letsencrypt config omitted]
}

/etc/openresty/sites-available/kibana.conf

server {
    listen 8080;

    location / {
      proxy_pass http://127.0.0.1:5601;

      set $email $http_x_forwarded_email;
      set $username '';
      set $password '<my_static_password>'; #same password for all users, configured in kibana
      set $auth_string '';
      set $encoded_string '';
      access_by_lua_block {
        ngx.var.username = ngx.var.email:match("[^@]+");
        ngx.var.auth_string = ngx.var.username .. ":" .. ngx.var.password;  

        #function to base64 encode the header
        local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
        function enc(data)
           return ((data:gsub('.', function(x)
             local r,b='',x:byte()
             for i=8,1,-1 do r=r..(b%2^i-b%2^(i-1)>0 and '1' or '0') end
               return r;
             end)..'0000'):gsub('%d%d%d?%d?%d?%d?', function(x)
             if (#x < 6) then return '' end
             local c=0
             for i=1,6 do c=c+(x:sub(i,i)=='1' and 2^(6-i) or 0) end
               return b:sub(c+1,c+1)
             end)..({ '', '==', '=' })[#data%3+1])
        end
        ngx.var.encoded_string = enc(ngx.var.auth_string);

      }

      proxy_set_header Authorization "Basic $encoded_string";

      rewrite /login https://<my-elasticstack-url>/oauth2/sign_in redirect;
    }
}

oauth2_proxy launch string

to be configured as a service

oauth2-proxy  
  --email-domain="<my_email_domain>"  
  --upstream="http://127.0.0.1:8080/"  
  --approval-prompt="auto"  
  --redirect-url="https://<my-elasticstack-url>/oauth2/callback"  
  --cookie-secret=<my_cookie_secret>  
  --cookie-name="_oauth2_proxy"  
  --cookie-secure=false  
  --provider=google  
  --client-id="<my_client_id>"  
  --client-secret="<my_client_secret>"  
  --set-xauthrequest=true