Can I get rid of oauth2-proxy? External oauth with ingress-nginx

[jkroepke]

Hi,

I would like to integrate https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ on my platform. The example shows me how to integrate oauth2-proxy here. Then oauth2-proxy whould redirect the traffic the dex and back again.

I may ask, if its possible to get rid of the oauth2-proxy and start the oauth2 auth flow with dex itself? this would minimize the numbers of exposing applications on my setup.

Before answer, please check that you are aware of the setup with the nginx-ingress controller where once authenticated, the application traffic never passed to oauth2-proxy.

[nabokihms]

Hello, @jkroepke. Unfortunately, but no. It is not possible to just remove oauth2-proxy. It does two important things.

1. Stores tokens in cookies.
2. Uses cookies to authenticate you internally. If you have a cookie with a valid token, the proxy will respond with a 200 code, and if not, you will receive 401.

Because of this behavior, the oauth2 proxy can be combined with the nginx auth module. Dex is not capable of both of these things because it is out of the scope of an OIDC provider. Oauth2 proxy is a helper for those relying parties, who cannot work with the oauth2 flow on their own.

[nabokihms]

BTW, there is a thing I'd like to share. I'm involved in the development of the Kubernetes Platform called Deckhouse. In Deckhouse, we have the DexAuthenticator custom resource, observed by an operator that deploys oauth2 proxy instances and automatically connects them to Dex (schema of the traffic flow is included). The only thing you need is to deploy a single custom resource and add annotations.

[jkroepke]

https://github.com/deckhouse/deckhouse ? Cool! I leave a star on it. I learned something new.