OAuth Proxy + Entra ID

I recently updated the k8s-ingress-auth repository, where I prepared code to deploy an additional component OAuth2 proxy for user authentication and authorization. The main changes focus on integration with Microsoft Entra ID (formerly Azure Active Directory):

1. Added support for Microsoft Entra ID authentication
2. Updated OAuth proxy configuration to the latest version
3. Added Entra ID group support

OAuth Proxy Configuration

Here are the essential configuration elements for OAuth proxy with Entra ID:

args:
  - --provider=oidc
  - --scope=openid
  - --email-domain=*
  - --oidc-issuer-url=https://login.microsoftonline.com/<tenant-id>/v2.0

The remaining settings are similar (or identical) to those I previously prepared for GitHub.

Kubernetes Integration

To secure an application in Kubernetes, add these annotations to your Ingress:

annotations:
  nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
  nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"

Issues and Solutions

During implementation, I encountered several issues for which I found solutions listed below:

Ingress controller buffer size issue

upstream sent too big header while reading response header from upstream

resolved by adding appropriate annotations:

kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: kube-system
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "512k"

Token generated for a different provider version

solution for problem: Error retrieving session from token in Authorization header: [unable to verify bearer token, failed to verify token: oidc: id token issued by a different provider, expected "https://login.microsoftonline.com/dca11c8d-6718-4495-b1a7-46217af67c69/v2.0" got "https://sts.windows.net/dca11c8d-6718-4495-b1a7-46217af67c69/"]

resolved by adding additional configuration for the application registered in Azure:

api {
  requested_access_token_version = 2
}

Group permissions issue

resolved by adding configuration in the Azure application:

group_membership_claims = [
  "SecurityGroup"
]

and creating dedicated groups in Entra ID:

resource "azuread_group" "oauth2_proxy_users" {
  display_name     = var.oauth2_proxy_group_name
  security_enabled = true
}

data "azuread_user" "my_account" {
  user_principal_name = var.user_principal_name
}

resource "azuread_group_member" "my_account" {
  group_object_id  = azuread_group.oauth2_proxy_users.object_id
  member_object_id = data.azuread_user.my_account.object_id
}

resource "azuread_group_member" "sp" {
  group_object_id  = azuread_group.oauth2_proxy_users.object_id
  member_object_id = azuread_service_principal.sp.object_id
}

and using them in the OAuth2 proxy configuration:

        - name: OAUTH2_PROXY_ALLOWED_GROUPS
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy-allowed-groups
              key: OAUTH2_PROXY_ALLOWED_GROUPS

Summary

The implemented changes demonstrate that it’s relatively straightforward to secure Kubernetes applications using OAuth proxy and Microsoft Entra ID. All configuration is available in the GitHub repository, along with examples and documentation.

Useful Links

• OAuth2 Proxy Documentation
• Microsoft Entra ID Documentation
• Kubernetes Ingress NGINX Documentation