Hi I have a problem with userinfo endpoint. Authentication works correctly but in log I see problem.
In Oauth2-proxy log I see
2021-05-27T12:43:21.370402108Z [2021/05/27 12:43:21] [internal_util.go:69] 400 GET https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxRXQ4bWZPVVRLVG14YkdmNUp2bVNDY1BOUU81dDBPMkJiekp0a2NjNzdjIn0.eyJleHAiOjE2MjIxMTk3MDEsImlhdCI6MTYyMjExOTQwMSwiYXV0aF90aW1lIjoxNjIyMTE5NDAxLCJqdGkiOiIwYzJmNTRmNy01ZWNmLTRkMTEtODliYi0wYjg2M2M1ZDIzY2YiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLXN0YWdlLm9rdWJlMS5rdWJlLmxzb2ZmaWNlLmN6L2F1dGgvcmVhbG1zL2xvY2FsIiwiYXVkIjpbIm9hdXRoMi1rZXljbG9hayIsImFjY291bnQiXSwic3ViIjoiZjEwZDFmNzAtZjE3Ni00MThkLWI5ZGEtNDViYjdlYmVjMGY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2F1dGgyLWtleWNsb2FrIiwic2Vzc2lvbl9zdGF0ZSI6IjhiNjM5ODJhLWE1NzUtNDVmYy05ZTQ1LWZiMzk1YTk4ZjRkZCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQ... {"error":"invalid_request","error_description":"Token not provided"}
but login works fine
Keycloak LOG
12:27:29,404 WARN [org.keycloak.events] (default task-134) type=USER_INFO_REQUEST_ERROR, realmId=local, clientId=null, userId=null, ipAddress=XXX, error=invalid_token, auth_method=validate_access_token
Oauth2-proxy config
args:
- –provider=keycloak
- –upstream=file:///dev/null
- –client-id=oauth2-keycloak
- –client-secret=XXX
- –cookie-secret=XXXX
- –login-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/auth
- –redeem-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/token
- –profile-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo
- –validate-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo
- –email-domain=*
- –http-address=0.0.0.0:8091
- –whitelist-domain=.domain.com
- –cookie-domain=…domain.com
- –scope=openid profile email users
- –redirect-url=https://oauth2-proxy.domain.com/oauth2/callback
- –cookie-refresh=0
- –cookie-expire=168h
Ingress setting
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.domain.com/oauth2/auth?allowed_groups=security"
nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.domain.com/oauth2/start?rd=https://$host$request_uri"
nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
oauth2-proxy in kubernetes
image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
Keycloak 13.0.1 latest image in Kubernetes