在nginx + oauth2-proxy + docker上尝试使用承载令牌进行身份验证的问题

Question

我正在尝试使用nginx、oauth2-proxy和Docker为我的MLflow应用程序设置谷歌身份验证。当我通过网页浏览器登录时，一切都很好，但我需要访问Python中的MLflow并请求MLflow API。

我试图以以下方式请求API：

curl -X GET http://localhost/api/2.0/mlflow/experiments/list -H "Authorization: Bearer $(gcloud auth print-identity-token)"

其中，$(gcloud auth print-identity-token)转换为我的GCP访问令牌(我正在使用它作为OAuth2-Proxy上的提供者)。我使用一个有效的帐户登录gcp cli，该帐户对所有项目都有正确的访问/特权(即它不是gcp身份验证问题)

OAuth2-代理日志将返回以下消息：

oauth2_proxy    | [2022/06/22 19:19:06] [jwt_session.go:51] Error retrieving session from token in Authorization header: [unable to verify bearer token, not implemented]

这让我相信，这是我的nginx配置文件或我传递给oauth2-proxy的env中的一些错误配置。

Nginx default.conf

server {
    listen       80;
    server_name  localhost;
    
    location / {
        proxy_pass http://web:5000;
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;
        # error_page 404 = /404.html;
        # error_page 500 502 503 504 = /50x.html;

        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        auth_request_set $token  $upstream_http_x_auth_request_access_token;
        proxy_set_header X-Access-Token $token;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

        if ($auth_cookie ~* "(; .*)") {
            set $auth_cookie_name_0 $auth_cookie;
            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        }

        if ($auth_cookie_name_upstream_1) {
            add_header Set-Cookie $auth_cookie_name_0;
            add_header Set-Cookie $auth_cookie_name_1;
        }
    }

    location /oauth2 {
        proxy_pass            http://oauth2_proxy:4180;
        proxy_set_header      Host                    $host;
        proxy_set_header      X-Real-IP               $remote_addr;
        proxy_set_header      X-Scheme                $scheme;
        proxy_set_header      X-Auth-Request-Redirect $request_uri;
    }

    location = /oauth2/auth {
        proxy_pass       http://oauth2_proxy:4180;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Scheme         $scheme;
        proxy_set_header Content-Length   "";
        proxy_pass_request_body           off;
    }
}

我的docker-compose.yaml文件：

version: '3'
services:

  db:
    restart: always
    image: mysql/mysql-server:5.7.28
    container_name: mlflow_db
    expose:
        - "3306"
    networks:
        - backend
    environment:
        - MYSQL_DATABASE=${MYSQL_DATABASE}
        - MYSQL_USER=${MYSQL_USER}
        - MYSQL_PASSWORD=${MYSQL_PASSWORD}
        - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
    volumes:
        - dbdata:/var/lib/mysql

  web:
    restart: always
    build: ./mlflow
    image: mlflow_server
    container_name: mlflow_server
    expose:
        - "5000"
    networks:
        - frontend
        - backend
    environment:
        - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
        - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
        - AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
        - AWS_BUCKET_NAME=${AWS_BUCKET_NAME}
    command: mlflow server --backend-store-uri mysql+pymysql://${MYSQL_USER}:${MYSQL_PASSWORD}@db:3306/${MYSQL_DATABASE} --default-artifact-root s3://redacted/mlflow/ --host 0.0.0.0

  oauth2_proxy:
    build: ./oauth2_proxy
    container_name: oauth2_proxy
    environment:
      - OAUTH2_PROXY_HTTP_ADDRESS=http://0.0.0.0:4180
      - OAUTH2_PROXY_UPSTREAM=http://localhost
      # Restrictions (Not use in same time)
      - OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE=/home/emails.txt
      # - OAUTH2_PROXY_EMAIL_DOMAINS=*  
      # Same url in Github Callback URL
      - OAUTH2_PROXY_REDIRECT_URL=http://localhost/oauth2/callback
      # Generate secret -> python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)))'
      - OAUTH2_PROXY_COOKIE_SECRET=redacted
      - OAUTH2_PROXY_COOKIE_SECURE=false
      - OAUTH2_PROXY_COOKIE_REFRESH=2h
      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      #- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      #- OAUTH2_PROXY_SET_XAUTHREQUEST=true
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
      - OAUTH2_EXTRA_JWT_ISSUERS=redacted
      # Github CLIENT_ID and CLIENT_SECRET
      - OAUTH2_PROXY_CLIENT_ID=redacted
      - OAUTH2_PROXY_CLIENT_SECRET=redacted
    networks:
      - frontend

  nginx:
    build: ./nginx
    container_name: nginx
    ports:
      - 80:80
    depends_on:
      - oauth2_proxy
    networks:
      - frontend

networks:
    frontend:
        driver: bridge
    backend:
        driver: bridge

volumes:
    dbdata:

有什么想法吗？

Answer 1

问题出现在docker-compose.yaml和oauth2_proxy`服务的environment部分。

我传递的是OAUTH2_EXTRA_JWT_ISSUERS，但是正确的变量名是OAUTH2_PROXY_EXTRA_JWT_ISSUERS。修复后，一切都很完美。