Authentication Quick Reference
Quick reference for common authentication tasks.
Installation
Install with Azure AD
Install with Google
Install with GitHub
Install with Okta SAML
Protection
Protect an app with group-based access
Protect an app with domain restriction
Protect an app - allow all authenticated users
Verification
Check auth module status
View oauth2-proxy logs
Check protected apps
View authorization policies
Troubleshooting
Redirect loop
# Check cookie domains
kubectl get configmap oauth2-proxy-config -n greenfield -o yaml
# Check redirect URL
kubectl get configmap oauth2-proxy-config -n greenfield -o jsonpath='{.data.redirect-url}'
Groups not in JWT
# Decode JWT to check claims
# Get token from browser DevTools → Application → Cookies
# Or from X-Auth-Request-Access-Token header
TOKEN="eyJ..."
echo $TOKEN | cut -d. -f2 | base64 -d | jq .
Authorization denied
# Check authorization policies
kubectl get authorizationpolicy -n greenfield -o yaml
# Check Istio sidecar logs
kubectl logs -n greenfield POD_NAME -c istio-proxy
Configuration Updates
Update oauth2-proxy configuration
kubectl edit configmap oauth2-proxy-config -n greenfield
kubectl rollout restart deployment oauth2-proxy -n greenfield
Update secrets
kubectl delete secret oauth2-proxy-secret -n greenfield
kubectl create secret generic oauth2-proxy-secret \
--from-literal=client-id=NEW_CLIENT_ID \
--from-literal=client-secret=NEW_CLIENT_SECRET \
--from-literal=cookie-secret=$(openssl rand -base64 32 | head -c 32) \
-n greenfield
Add environment variable to oauth2-proxy
Provider-Specific Commands
Azure AD - Enable group claims
GitHub - Restrict to organization
Google - Restrict to domain
Common kubectl Commands
Get all auth resources
Get all Istio auth resources
kubectl get gateway,virtualservice,requestauthentication,authorizationpolicy \
-n greenfield,istio-system
Describe oauth2-proxy deployment
Check pod status
Port forward to oauth2-proxy
Testing Authentication
Test without auth (should get 302 redirect)
Test health endpoint (should return 200)
Test with cookie
# After authentication, save cookies
curl -c cookies.txt https://myapp.example.com/
# Use cookies for subsequent requests
curl -b cookies.txt https://myapp.example.com/api/data
Useful Queries
List all protected applications
kubectl get virtualservice -n greenfield -l auth-enabled=true \
-o custom-columns=NAME:.metadata.name,HOST:.spec.hosts[0]
Check which apps require specific groups
Find apps with public paths
Cleanup
Remove auth from an app
kubectl delete virtualservice,authorizationpolicy,requestauthentication \
-n greenfield -l app=myapp
Uninstall auth module
Remove all auth resources
kubectl delete namespace greenfield
# Or selectively:
kubectl delete deployment,service,configmap \
-n greenfield -l app=oauth2-proxy
Emergency Procedures
Disable authentication temporarily
# Delete EnvoyFilter to bypass auth
kubectl delete envoyfilter oauth2-proxy-ext-authz -n istio-system
# Re-enable
kubectl apply -f kustomize/base/auth/base/gateway/envoyfilter-ext-authz.yaml
Allow all users temporarily
# Create temporary allow-all policy
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: temporary-allow-all
namespace: greenfield
spec:
action: ALLOW
rules:
- {}
EOF
# Remove when done
kubectl delete authorizationpolicy temporary-allow-all -n greenfield
Reset oauth2-proxy
# Delete and recreate
kubectl delete deployment oauth2-proxy -n greenfield
kubectl apply -k kustomize/base/auth/overlays/provider-azuread/