I'm trying to setup an OAuth2 authorizatin in front of my ELK installation. I'm using oauth2_proxy. The idea is to use Google as SSO, extract the username from the SSO challenge, set this username as basic auth (with a fixed password) to log into Kibana.
I'm having difficulties to get the username and set it into the basic auth string. It seems that the variable $remote_user is not valued. If I hardcode a valid username:password it logs me in.
This is my configuration so far:
- oauth2_proxy running on port 4180
- nginx listening on 80/443 with a proxy pass to localhost:4180 (oauth2_proxy)
- oauth2_proxy that performs the SSO with localhost:8080 as upstream (nginx)
- nginx listening on 8080 with a proxy pass to localhost:5601 (kibana)
Something like this:
Here the conf file:
oauth2_proxy launch string
oauth2-proxy
--email-domain="example.com"
--upstream="http://127.0.0.1:8080/"
--approval-prompt="auto"
--redirect-url="https://example.com/oauth2/callback"
--cookie-secret=redacted
--set-xauthrequest=true
--pass-user-headers=true
--pass-authorization-header=true
oauth2_proxy.conf
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:4180;
}
[letsencrypt config omitted]
}
kibana.conf
server {
listen 8080;
location / {
proxy_pass http://127.0.0.1:5601;
set $auth_string "${remote_user}:<my_strong-password>";
set_encode_base64 $encoded_string $auth_string;
proxy_set_header Authorization "Basic $encoded_string";
#to manage logout redirect
rewrite /login https://example.com/oauth2/sign_in redirect;
}
}
My problem is that ${remote_user} is empty, how can I valorize it? I've also tried with $upstream_http_x_auth_request_user and $upstream_http_x_auth_request_email with no luck.
Do you see any obvious errors?
