I have deployed keycloak and oauth2 in my kubernetes cluster. Also, want to protect my 2 web application with keycloak so I have installed 2 application and nginx ingress is used to redirect the request to keyloak login page. I want to restrict my user to access the application. For example the user1 can access the application app1 but not app2 and user2 can access both application and user3 can access app2 but not app1. I have created 3 separate group and added users to it. But none of the user is not able to login to application if I didn’t add email address in their profile. But If I add an email address all users can login to all application. Can somebody help me what wrong configuration I did?.
Adding my oauth2 env variables
- args: - --provider=oidc - --email-domain=* - --upstream=file:///dev/null - --http-address=0.0.0.0:4180 # Register a new application env: - name: OAUTH2_PROXY_OIDC_ISSUER_URL value: http://18.104.22.168:8080/realms/local - name: OAUTH2_PROXY_REDIRECT_URL value: https://domain-test.com/oauth2/callback - name: OAUTH2_PROXY_CLIENT_ID value: gatekeeper - name: OAUTH2_PROXY_CLIENT_SECRET value: RjU60ILJdvcX7Lj1Nwb - name: OAUTH2_PROXY_COOKIE_SECRET value: GKNuz-mmMK4PONLK7wJ - name: OAUTH2_PROXY_UPSTREAM value: https://domain-test.com value: https://anotherdomain-test.com - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY value: "true" - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL value: "true" - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER value: "true" - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY value: "true" - name: OAUTH2_PROXY_GROUPS_CLAIM value: groups - name: OAUTH2_PROXY_ALLOWED_GROUPS value: my-app - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON value: "true" - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER value: "true"
I have tried the steps which is mentioned in the below stack overflow page but it didn’t help.
I was trying to fix this for long time. so can somebody help me here ?
thanks in advance.