Skip to content

-cookie-refresh option causing incorrect validation api call #339

New issue
New issue
Open
Open
-cookie-refresh option causing incorrect validation api call#339
@paladugu-anand-rht

Description

@paladugu-anand-rht
paladugu-anand-rht
opened on Nov 13, 2025

I am using the oauth-proxy as a sidecar container for application authentication in OpenShift. When I set the following arguments

      - '-cookie-expire=1h0m0s'
      - '-cookie-refresh=0h1m0s'

For refresh, The proxy seems to invoke an api call that is not allowed and fails.

Initial login:

2025/11/04 04:20:09 provider.go:671: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"kube:admin","creationTimestamp":null},"groups":["system:authenticated","system:cluster-admins"]}
2025/11/04 04:20:09 oauthproxy.go:691: 10.129.2.10:41098 authentication complete Session{kube:admin@cluster.local token:true}

Refresh:

2025/11/04 04:21:12 oauthproxy.go:739: 10.129.2.10:35200 refreshing 1m3s old session cookie for Session{kube:admin@cluster.local token:true} (refresh after 1m0s)
2025/11/04 04:21:12 internal_util.go:67: 403 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~?access_token=sha256~7-6VpVRBufjfLUt4ac... {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"users.user.openshift.io "" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope","reason":"Forbidden","details":{"name":"","group":"user.openshift.io","kind":"users"},"code":403}
2025/11/04 04:21:12 internal_util.go:72: token validation request failed: status 403 - {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"users.user.openshift.io "" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope","reason":"Forbidden","details":{"name":"","group":"user.openshift.io","kind":"users"},"code":403}
2025/11/04 04:21:12 oauthproxy.go:761: 10.129.2.10:35200 removing session. error validating Session{kube:admin@cluster.local token:true}

So the refresh is using access_token as query param, and there is no way to do it that way in OpenShift API. Is this a known issue ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions