Could someone help to configure Oauth2-proxy with Zitadel ? error "Unauthorized"

Trying to make Oauth2-proxy to work with Zitadel, can't find the right settings.

Expected Behavior

Hi, I am looking to get Oauth2-proxy to work with Zitadel, while trying to keep the configuration as simple as possible. I am using Caddy as my reverse proxy and I would like to use forward_auth from Caddy to delegate the auth to oauth2-proxy and zitadel, instead of proxying the whole traffic. I'm trying to secure Radarr under it, to begin with.

In Zitadel, I've created an app for Radarr, setting PKCE code challenge as Oauth2-proxy should support it.

My caddyfile is the following:

radarr.example.com {
        @except not path /api*
        reverse_proxy radarr:7878
        reverse_proxy /oauth2/* oauth2-radarr:4180
        forward_auth @except oauth2-radarr:4180 {
                copy_headers Authorization
                uri /oauth2/auth
        }
}

My Oauth2-proxy config is the following: (I am using env variables)

      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_REDIRECT_URL=https://radarr.${DOMAIN}/oauth2/callback
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.${DOMAIN}
      - OAUTH2_PROXY_WHITELIST_DOMAIN=.${DOMAIN}
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_CLIENT_ID=${RADARR_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=sdgdhfd #For an unknown reason, Oauth2-proxy still wants a client_secret even when using PKCE where it won't be useful
      - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
      - OAUTH2_PROXY_SCOPE="openid profile email groups"
      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}

With this setup, when trying to access Radarr, I have an error "Unauthorized". I don't know more about what the problem could be.

I think the Caddy configuration is correct, because it is very close to what Authentik is doing to forward_auth to its own integrated proxy, confirmed by this post https://caddy.community/t/replicating-nginx-auth-request/22118/5

So I think it comes from the Oauth2-proxy configuration. But I couldn't find anyone using Oauth2-proxy with Zitadel, or Oauth2-proxy with forward_auth. So I'm looking for help to know what setting I could be missing.

Thanks in advance for any answer and have a great day.

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

• Version used:

1. Which version are you using?
2. How do you deploy oauth2-proxy?
3. Please share your oauth2-proxy logs

1. Which version are you using?

2. How do you deploy oauth2-proxy?

3. Please share your oauth2-proxy logs

Hi, thanks a lot for your answer.

1. It is the version 7.5.1

2. I am deploying oauth2-proxy in docker-compose. My service is deployed this way:

  oauth2-radarr:
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    platform: ${PLATFORM}
    container_name: oauth2-radarr
    networks:
      - services6
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_REDIRECT_URL=https://radarr.${DOMAIN}/oauth2/callback
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.${DOMAIN}
      - OAUTH2_PROXY_WHITELIST_DOMAIN=.${DOMAIN}
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true
      - OAUTH2_PROXY_CLIENT_ID=${RADARR_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=dummy #${RADARR_CLIENT_SECRET}
      - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
      #- OAUTH2_PROXY_OIDC_GROUPS_CLAIM=groups
      #- OAUTH2_PROXY_SCOPE="openid profile email groups"
      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}

(both Oauth2-proxy, Radarr (The app I'm trying to secure) and Zitadel are on services6 network)

3. My logs are the following:

[2024/01/10 21:56:17] [provider.go:55] Performing OIDC Discovery...

[2024/01/10 21:56:17] [oauthproxy.go:166] OAuthProxy configured for OpenID Connect Client ID: 248881322301390850@saladserver

[2024/01/10 21:56:17] [oauthproxy.go:172] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled

172.24.0.100 - 9bfdf543-d1d4-4a09-a207-08b603b72c43 - - [2024/01/10 21:59:33] radarr.example.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" 401 13 0.000

172.24.0.100 - ecc5e479-e490-49f9-8e25-5b25599a8458 - - [2024/01/10 22:20:43] radarr.example.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" 401 13 0.000

172.24.0.100 - 2b5d4046-d37e-4557-b997-63286cdc4ae0 - - [2024/01/10 22:20:43] radarr.example.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" 401 13 0.000

Zitadel is not picking up anything so the error comes from Oauth2-proxy (I think).

The 2 options I have to secure an app under OIDC with Zitadel are Oauth2-proxy and caddy security, but I am struggling in both cases to find example to start with, and can't find which settings I am missing. Oauth2-proxy seems better in my case because I want to remove any login UI and go directly to OIDC, it appears caddy security can't do this (or I couldn't find it).

Any answer is extremely valuable to me so thanks in advance for any help and have a great day !

Hi @LeVraiRoiDHyrule,

so your https://radarr.${DOMAIN}/ is pointing to your oauth2-proxy instance, right? How did you configure the upstream?

Which architecture are you trying to build?

                       auth
nginx / loadbalancer -------> oauth2-proxy <------> zitadel
|
|
v
radar

oauth2-proxy <------> zitadel
|
|
v
radar

Hi @LeVraiRoiDHyrule,

so your https://radarr.${DOMAIN}/ is pointing to your oauth2-proxy instance, right? How did you configure the upstream?

Which architecture are you trying to build?

                       auth
nginx / loadbalancer -------> oauth2-proxy <------> zitadel
|
|
v
radar

oauth2-proxy <------> zitadel
|
|
v
radar

Thanks a lot for your answer.

https://radarr.${DOMAIN}/ points to Radarr, not oauth2-proxy. But the subpath https://radarr.${DOMAIN}/oauth2/* points to oauth2-proxy. This is because I am trying to set up forward_auth (the caddy equivalent of nginx's auth_request), and not full proxying. It appears to be possible as I've seen some reports of peple doing it with Nginx's auth_request, I'm trying to do the same with caddy.

What am I trying to do is your first option. I would represent it that way:

       forward_auth                       oauth2/oidc
Caddy ----------------> oauth2-proxy <---------------> zitadel
|
|
v
Radarr

It is what I was doing before with Authentik, with its integrated proxy outpost. My main reference is this https://goauthentik.io/docs/providers/proxy/forward_auth (shows all forward auth config with caddy, Nginx...) . I am trying to do the same thing with oauth2-proxy

Hi, is setting an upstream a requirement when using forward_auth ? I didn't have to set any when using Authentik built in proxy but maybe this is different. I'm trying to stick as much to what Authentik is doing as it is the closest config I could find for what I'm looking to do. But I'm still stuck on this "Unauthorized" error.

Oauth2-proxy is the very last brick I would need to make the perfect home server that can secure both oidc and classic web apps all under a single account system. So I am highly interested in any advice.

Have a nice day !

Hi, I am very interested in any help you could give if someone see this. Oauth2-proxy is the last problem I need to solve to achieve my dream setup so I'm all ears ! Thanks in advance for any answer and have a nice day

I'm not sure how to achieve this, yet, but I think what you want is something more like:

        http/s proxy                    oauth2/oidc
Caddy ----------------> oauth2-proxy <---------------> zitadel
                             |
                             | forward auth
                             v
                           Radarr

I'm not sure how to achieve this, yet, but I think what you want is something more like:

        http/s proxy                    oauth2/oidc
Caddy ----------------> oauth2-proxy <---------------> zitadel
                             |
                             | forward auth
                             v
                           Radarr

Hi, thanks for your answer.

If I understood correctly, oauth2-proxy works very similar to Authentik's integrated auth proxy, that I've used a bit. What you are describing is the classic way where all the traffic to the application (Radarr) is proxied through oauth2-proxy ( @tuunit 's second option).

I am searching to do option 1, as I described it. This way, only the authentication is proxied. When the reverse proxy receives a successful authorization, the traffic is then only proxied through the reverse proxy and not through oauth2-proxy. This is preferable for my setup because I have to set subpaths (like APIs) that should not require authentication and it is easier for me to do that in Caddy rather than in Oauth2-proxy. This already works with Nginx and should work the same way with Caddy. I don't understand why I can't get it to work, what is blocking me is probably my Oauth2-proxy configuration, but I can't find what I am doing wrong.

Do you have an idea how I could achieve option 1 ?

Thanks in advance for any answer and have a great day.

Hi, I am still very interested into doing this. Sorry to ping you @tuunit , but do you know if this is doable with Caddy ? Have a nice day

OAuth2 Proxy does not support public OAuth clients. Which is why you're required to provide the client secret - my guess here is the flow is not quite behaving correctly because of this.

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.