我正在运行Kubernetes集群(AKS),并且Nginx入口位于前面。对于授权,我使用Azure Active Directory和pusher / oauth2_proxy,如Nginx-ingress文档中建议的那样:
https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/
实际上,一切正常,除了我没有在标题中收到用户和电子邮件。在oauth2_proxy的文档中,提到我需要将-set-xauthrequest设置为true,(https://pusher.github.io/oauth2_proxy/configuration):
Option Type Description Default
-set-auth request bool set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) false
在后端,我运行了一个简单的Node.js Express应用程序,该应用程序应记录请求标头:
router.get('/', function (req, res) {
console.log(req.headers);
res.send('test');
});
oauth-deployment.yaml:
...
- args:
- --provider=azure
- --email-domain=*
- --set-xauthrequest=true
- --http-address=0.0.0.0:4180
- --azure-tenant=mytenantid
- --scope=openid
- --pass-access-token=true
- --set-xauthrequest=true
...
ingress.yaml(我将htttps替换为https):
...
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
nginx.ingress.kubernetes.io/auth-url: "htttps://mydomain.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "htttps://mydomain.com/oauth2/start?rd=$escaped_request_uri"
...
至少是我的标题:
{
"host":"mydomain.com",
"x-request-id":"12345abcde456",
"x-real-ip":"165.xxx.xx.xx9",
"x-forwarded-for":"165.xxx.xx.xx9",
"x-forwarded-host":"mydomain.com",
"x-forwarded-port":"443",
"x-forwarded-proto":"https",
"x-scheme":"https",
...
"cookie":"_oauth2_proxy_0=UVWXY; _oauth2_proxy_1=ABCDEF|1582053159|FQAOD;
}
为什么我的标题中没有用户和电子邮件?
在oauth2_proxy.cfg文件标志pass_user_headers = true
中设置。然后,您将可以看到用户并通过电子邮件发送标头。
nginx官方文档,nginx-ingress。
Oauth2代理官方文档:oauth2。