Skip to content

Kubernetes Dashboard does not accept Authorization: Bearer token even when passed via Ingress Reverse Proxy #10242

New issue
New issue
Open
Open
Kubernetes Dashboard does not accept Authorization: Bearer token even when passed via Ingress Reverse Proxy#10242
Labels
kind/bugCategorizes issue or PR as related to a bug.
@venkatsunil5

Description

@venkatsunil5
venkatsunil5
opened on Jun 27, 2025

What happened?

I have using Kubernetes Dashboard v7.13.0 behind an OAuth2 Proxy (via NGINX Ingress and Kong gateway). The OAuth2 proxy correctly authenticates the user and responds with an Authorization: Bearer header. The ingress is configured with annotations to forward this header to the Kubernetes Dashboard.

Despite successful authentication and the presence of the bearer token in the ingress response (verified via /oauth2/auth returning 202 and including the Authorization header), the dashboard still prompts for manual token input on the login screen.

However we suspect Kong is either stripping or not receiving the Authorization header, as the token is not visible in Kong logs or the requests reaching the dashboard. Even with nginx.kubernetes.io/auth-response-headers and other annotations configured, the dashboard does not detect the token.

dashboard-ingress.yaml annotations:

    annotations:
      #konghq.com/plugins: "preserve-auth-header"
      nginx.ingress.kubernetes.io/auth-url: "https://<host>/oauth2/auth"
      nginx.ingress.kubernetes.io/auth-signin: "https://<host>/oauth2/start?rd=https://$host$request_uri"
      nginx.ingress.kubernetes.io/auth-response-headers: >-
        X-Auth-Request-Email,X-Auth-Request-Preferred-,X-Auth-Request-Access-Token,
        X-Auth-Request-Roles,X-Auth-Request-User,X-Auth-Request-Groups,X-Forwarded-Groups,
        Authorization
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/proxy-buffers: "4 512k"
      nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "512k"

oauth2-proxy configs:

        --set config.clientID="xxxxxx" \
	--set config.clientSecret="xxxxxxx" \
	--set config.cookieSecret="xxxxxxxxx" \
        --set image.repository="docker.io/oauth2-proxy/oauth2-proxy" \
        --set image.tag="v7.9.0" \
        --set extraArgs.provider="oidc" \
        --set extraArgs.azure-tenant="xxxxxxxxxx" \
        --set extraArgs.oidc-issuer-url="https://login.microsoftonline.com/xxxxxxxxxx/v2.0" \
        --set extraArgs.redirect-url="https://<host>/oauth2/callback" \
        --set extraArgs.scope="openid profile email offline_access" \
        --set extraArgs.email-domain="*" \
        --set extraArgs.upstream="https://kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443" \
        --set extraArgs.whitelist-domain="xxxxxxxx" \
        --set extraArgs.cookie-domain=".cloud.xxx.net" \
        --set extraArgs.cookie-csrf-expire="59m" \
        --set extraArgs.cookie-csrf-per-request=true \
        --set extraArgs.cookie-expire="1h" \
        --set extraArgs.cookie-refresh="59m" \
        --set extraArgs.cookie-secure=true \
        --set extraArgs.cookie-name="_oauth2_proxy_csrf" \
        --set extraArgs.reverse-proxy=true \
        --set extraArgs.set-authorization-header=true \
        --set extraArgs.pass-authorization-header=true \
        --set extraArgs.pass-access-token=true \
        --set extraArgs.show-debug-on-error=true \
        --set extraArgs.ssl-upstream-insecure-skip-verify=true \
        --set extraArgs.ssl-insecure-skip-verify=true \
        --set extraArgs.skip-auth-strip-headers=false \
        --set extraArgs.pass-user-headers=true \
	--set extraArgs.pass-host-header=true \
        --set extraArgs.set-xauthrequest=true \
        --set extraArgs.skip-provider-button=true \
        --set extraArgs.skip-jwt-bearer-tokens=true \
        --set ingress.enabled=true \
        --set ingress.className="nginx" \
        --set ingress.path="/oauth2" \
        --set ingress.hosts[0]="<host>" \
        --set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-buffer-size"="256k" \
        --set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-body-size"="5000m"

What did you expect to happen?

  • If a valid Authorization: Bearer header is present on the request reaching the dashboard, it should automatically log in the user
  • The dashboard should recognize the token and not prompt for manual token entry
  • The behavior should be consistent with OAuth2 proxy + reverse proxy flows as suggested in the documentation and community discussions

How can we reproduce it (as minimally and precisely as possible)?

  • Deploy Kubernetes Dashboard v7.13.0 using the official Helm chart
  • Use OAuth2 Proxy with --reverse-proxy, --set-xauthrequest, --pass-authorization-header, and --pass-access-token
  • Use NGINX Ingress with annotations as shown above
  • Route ingress backend to the kubernetes dashboard via a Kong proxy service
  • Login via OAuth2 proxy works and returns 202 with Authorization: Bearer token
  • Dashboard still shows manual token login instead of using the bearer token
  • No Authorization header seen in the request headers or logs

Anything else we need to know?

No response

What browsers are you seeing the problem on?

Chrome

Kubernetes Dashboard version

v7.13.0

Kubernetes version

Client Version: v1.30.3 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.4

Dev environment

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions