R de Ren
33a794e35d
New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
that gate vhosts via nginx auth_request against Keycloak's wbd realm.
Native OIDC wired into:
- grafana (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub (oauthenticator.GenericOAuthenticator)
- node-red (passport-openidconnect; in-memory state store + users()
resolver because adminAuth doesn't expose req.session)
- jenkins (oic-auth plugin via JCasC; matrix-auth for authz; setup
wizard suppressed; custom image with plugins.txt)
Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).
Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.
Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
hardcoded-audience mapper and post-logout redirect URIs that are
non-obvious gotchas.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
oauth2-proxy
Keycloak SSO gate for apps without native OIDC: mlflow, portainer-ce, rabbitmq. One sidecar container per protected vhost. nginx-proxy's vhost for each gates user requests with auth_request /oauth2/auth, and forwards /oauth2/* paths to the sidecar for the OIDC handshake.
Cloud-only. Each sidecar binds to port 4180 on the app network so nginx can reach it.
Files
stacks/oauth2-proxy/
├── compose.yml # three services: oauth2-proxy-mlflow, -portainer, -rabbitmq
└── README.md
How a request flows
- Browser →
https://ml.wbd-rd.nl/(no cookie) - nginx
auth_request /oauth2/authsubrequest → oauth2-proxy → 401 - nginx
error_page 401 = /oauth2/sign_in→ oauth2-proxy → 302 to Keycloak - User authenticates at Keycloak → redirected to
https://ml.wbd-rd.nl/oauth2/callback?code=… - oauth2-proxy exchanges the code, sets
_oauth2_<app>cookie, redirects to the original URL - Browser retries
/, this time/oauth2/authreturns 202, request proxies through to mlflow
Required Keycloak setup per client
Each client must have:
- Standard flow enabled, confidential client (
publicClient=false). - Redirect URI exactly:
https://<app-host>/oauth2/callback - Hardcoded audience mapper so the access token's
audclaim includes the client_id. Without this, oauth2-proxy rejects the callback with HTTP 500 because the default Keycloakaudis[realm-management, account]— seecloud/README.mdfor the kcadm bootstrap script.
nginx vhost shape
server {
listen 443 ssl; server_name <app>.wbd-rd.nl;
# … cert directives …
location /oauth2/ {
proxy_pass http://oauth2-proxy-<app>:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
internal;
proxy_pass http://oauth2-proxy-<app>:4180;
proxy_set_header Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_pass http://<app-upstream>;
# … app-specific headers …
}
}
Caveats
- No fine-grained authorization. oauth2-proxy only enforces "is this Keycloak user authenticated"; restricting to a subset (e.g. only
app-admin) is a separate config (OAUTH2_PROXY_ALLOWED_GROUPS/OAUTH2_PROXY_ALLOWED_EMAIL_DOMAINS). - Cookies are HUGE. oauth2-proxy embeds the JWT + refresh token in the session cookie. Without raising
proxy_buffer_sizeto ≥ 16k in nginx, the callback returns 502 "upstream sent too big header". The nginx-proxy stack already sets this globally. - DNS caching on nginx restart. When oauth2-proxy containers are recreated they get new Docker bridge IPs. nginx will keep using the old IPs until reloaded. The nginx-proxy stack now ships
resolver 127.0.0.11 valid=30s;so this self-heals on the resolver TTL. - Cookie secrets must be exactly 16, 24, or 32 bytes (raw, not base64).
openssl rand -hex 16gives 32 hex chars = the right shape.
TODO
- Restrict access per app via
OAUTH2_PROXY_ALLOWED_GROUPS=app-admin(or similar) once we have proper realm groups - Consider consolidating to a single oauth2-proxy with a wildcard cookie domain
.wbd-rd.nlonce we trust the shared-cookie tradeoff