Currently I am trying to configure oauth with Graylog 4.1.0 by using oauth2-proxy (GitHub - oauth2-proxy/oauth2-proxy: A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.), the Identity Provider used here is Azure.
So far so good, oauth2-proxy works as expected, after authenticating with Azure it send the following Headers to its Upstream (Graylog):
GET / HTTP/1.1 Host: logging.example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: de,en-US;q=0.7,en;q=0.3 Cookie: _oauth2_proxy=cjsnchbcn2134vvadvdrgn83gn|123456|somebase64 Referer: https://logging.example.com/ Upgrade-Insecure-Requests: 1 X-Forwarded-Email: firstname.lastname@example.org X-Forwarded-For: 18.104.22.168, 22.214.171.124 X-Forwarded-Proto: https X-Forwarded-Ssl: on X-Original-Uri: / X-Real-Ip: 126.96.36.199
In Graylog I disabled the previously used LDAP auth and enabled the Header based authentification. The Header to be used it “X-Forwarded-Email”. Additionally I configured the “trusted_proxies”:
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128, 10.111.0.0/16, 10.222.0.0/16, 172.16.0.0/16
Shortly to the setup.
Graylog is running in K8S using the Kongz Helmchart. Oauthproxy is also deployed in K8S using the Helmchart, for Oauth Proxy the sessionstore is Redis, since otherwise the cookies are too big.
In front of all that we have an nginx Proxy (outside of K8S). The way the packages goes is the following:
Browser → Nginx → oauth-proxy (Nodeport) → Graylog (K8S service)
Hope someone could help on that. Currently the oauth works as expected and I got the Graylog page, however here I only see the normal Graylog Loginpage, where I still have to enter username and password.