Login

u/Ace_On_Fire1305

▲ 1 r/devops

DevOps / Kubernetes / OAuth2 Proxy + Keycloak

Hi everyone,

I’m building a local zero-trust authentication setup on Kubernetes (Docker Desktop on Windows/WSL2) and I’m stuck on an OAuth2-proxy + Keycloak login loop / CSRF issue.

I would really appreciate any help or pointers.

Stack

  • Kubernetes: Docker Desktop (WSL2)
  • Ingress: NGINX Ingress Controller
  • Identity Provider: Keycloak (OIDC)
  • Proxy: oauth2-proxy (Helm chart v7.15.2)
  • Backend: FastAPI

Local domains

All mapped in local hosts file:

  • fastapi.test → protected application
  • auth.test → oauth2-proxy (OIDC gateway)
  • keycloak.test → Keycloak

Intended authentication flow

  1. User visits:https://fastapi.test
  2. Redirected to oauth2-proxy:https://auth.test/oauth2/start
  3. Redirected to Keycloak login:https://keycloak.test/.../auth
  4. Login succeeds and redirects back:https://auth.test/oauth2/callback?code=...&state=...
  5. oauth2-proxy should validate session and redirect user back to:https://fastapi.test

Problem

After successful Keycloak login:

  • I get:Login Failed: Unable to find a valid CSRF token
  • Then:
    • Redirect loop between /oauth2/start, Keycloak, and /oauth2/callback
    • Eventually ends with 403 at auth.test

Cookie behavior (observed)

  • CSRF cookie is created on /oauth2/start
  • Session cookie is also created
  • But after callback:
    • CSRF validation fails OR cookie is not accepted/recognized
    • Sometimes cookie domain changes or is cleared

oauth2-proxy config (Helm)

Key parts:

provider: oidc
oidc-issuer-url: https://keycloak.test/realms/zero-trust-local-platform
redirect-url: https://auth.test/oauth2/callback

cookie-domain: auth.test
cookie-secure: true
cookie-samesite: lax
cookie-path: "/"
cookie-name: _oauth2_proxy

reverse-proxy: true
whitelist-domain: fastapi.test,auth.test,keycloak.test

Upstream:

upstream: static://200

Ingress setup

oauth2-proxy ingress:

  • Host: auth.test
  • Path: /
  • NGINX ingress controller
  • TLS enabled via cert-manager (self-signed local CA)

FastAPI ingress uses:

  • nginx.ingress.kubernetes.io/auth-url pointing to:http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth
  • auth-signin:https://auth.test/oauth2/start?rd=$scheme://$host$request_uri

Keycloak config

  • KC hostname: keycloak.test
  • Proxy mode enabled via:KC_PROXY_HEADERS=xforwarded KC_HOSTNAME=keycloak.test KC_HTTP_ENABLED=true
  • Running behind ingress with TLS

What I already tried

  • Chrome + Edge + Incognito
  • Changed cookie-domain (.testauth.test)
  • Changed SameSite (LaxNone)
  • Verified redirect URI matches Keycloak client config
  • Verified OIDC issuer endpoint
  • Checked ingress annotations
  • Verified reverse proxy headers

What I suspect

I think this is related to one of:

  • CSRF cookie not surviving redirect chain
  • cookie domain / path mismatch between:
    • /oauth2/start
    • /oauth2/callback
  • reverse proxy headers missing (X-Forwarded-*)
  • oauth2-proxy state/CSRF binding issue
  • browser SameSite + local domain behavior

Question

Has anyone successfully run a 3-domain local OIDC setup like this?

  • fastapi.test (app)
  • auth.test (oauth2-proxy gateway)
  • keycloak.test (IdP)

If yes, what was the critical config fix that resolved CSRF / redirect loop issues?

reddit.com
u/Ace_On_Fire1305 — 2 days ago