OAuth2Proxy Integration - Redirect Loop to /signin, Client-side ignores NEXT_PUBLIC_AUTH_TYPE

[kyokocat2]

Hello,

I am trying to set up Keep with oauth2-proxy and Nginx as a reverse proxy, following the official documentation. However, I am stuck in a redirect loop.

The Problem:

I access http://11.111.111.123.

Nginx correctly triggers auth_request to oauth2-proxy.

I am redirected to Google for login.

After successful login, I am redirected back to the original URL (e.g., http://11.111.111.123/incidents).

The page loads briefly, then immediately redirects to http://11.111.111.123/signin?callbackUrl=http://11.111.111.123/incidents.

Debugging Information & Logs:

keep-frontend (Browser Console): I see a 404 (Not Found) error for the request http://11.111.111.123/api/auth/providers. This is immediately followed by an AuthError (from authjs.dev), which triggers the redirect to /signin.

keep-backend Log: The backend correctly reports the 404 for the request: Request started: GET /auth/providers ... tenant_id=anonymous Request finished: GET /auth/providers 404 in 0.00s ... status_code=404

keep-frontend Container Log: The container log correctly shows it's in OAUth2Proxy mode: Starting Nextjs ... AUTH_TYPE: OAUTH2PROXY

oauth2-proxy Log: Shows successful authentication and auth check: [oauthproxy.go:171] OAuthProxy configured for Google... ... GET - "/oauth2/auth" HTTP/1.0 ... 202 0 0.000

My Conclusion: My setup seems correct, and all server-side components recognize the OAUTH2PROXY mode. However, the keep-frontend client-side JavaScript does not seem to recognize NEXT_PUBLIC_AUTH_TYPE=OAUTH2PROXY. It incorrectly tries to fetch /api/auth/providers, which fails (as expected) and causes the Auth library to redirect to /signin.

I have tried force-recreating the keep-frontend container, updating the stack, clearing browser cache, and using Incognito mode, but the client-side behavior does not change.

Any help would be greatly appreciated!

1.docker-compose.yml
`services:
nginx:
image: nginx:1.25
container_name: keep-nginx-proxy
ports:
- "9881:80"
volumes:
- /home/docker-data/keep/nginx.conf:/etc/nginx/conf.d/default.conf:ro
depends_on:
- keep-frontend
- keep-backend
- oauth2-proxy
restart: unless-stopped

oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
container_name: keep-oauth2-proxy
volumes:
- /home/docker-data/keep/oauth2-proxy.cfg:/etc/oauth2-proxy.cfg:ro
command: --config=/etc/oauth2-proxy.cfg
restart: unless-stopped

keep-backend:
image: us-central1-docker.pkg.dev/keephq/keep/keep-api:latest
container_name: keep-backend
environment:
- DATABASE_URL=postgresql://postgres:postgres@postgres:5432/keep
- DATABASE_CONNECTION_STRING=postgresql://postgres:postgres@postgres:5432/keep
- REDIS_URL=redis://redis:6380/0
- SECRET_MANAGER_TYPE=DB
- SECRET_STORAGE_BACKEND=db
- AUTH_TYPE=OAUTH2PROXY
- NEXTAUTH_SECRET=YOUR_NEXTAUTH_SECRET
- NEXTAUTH_URL=http://11.111.111.123:9881 # Use full URL with port
- PUSHER_APP_ID=1
- PUSHER_APP_KEY=keepappkey
- PUSHER_APP_SECRET=keepappsecret
- PUSHER_HOST=keep-websocket-server
- PUSHER_PORT=6011
- OAUTH2_PROXY_USER_HEADER=X-Forwarded-Email
depends_on:
- postgres
- redis
- keep-websocket-server
restart: unless-stopped

keep-frontend:
image: us-central1-docker.pkg.dev/keephq/keep/keep-ui:latest
container_name: keep-frontend
depends_on:
- keep-backend
environment:
- NEXT_PUBLIC_API_URL=http://11.111.111.123:9881/api
- API_URL=http://keep-backend:8080
- NEXTAUTH_URL=http://11.111.111.123:9881
- AUTH_TYPE=OAUTH2PROXY
- NEXT_PUBLIC_AUTH_TYPE=OAUTH2PROXY
- NODE_TLS_REJECT_UNAUTHORIZED=0
- NEXTAUTH_SECRET=YOUR_NEXTAUTH_SECRET
- PUSHER_HOST=11.111.111.123
- PUSHER_PORT=9901
- PUSHER_APP_KEY=keepappkey
- OAUTH2_PROXY_USER_HEADER=X-Forwarded-Email
restart: unless-stopped

keep-websocket-server:
image: quay.io/soketi/soketi:1.4-16-debian
container_name: keep-websocket-server
ports:
- "9901:6011"
- "9601:9601"
environment:
- SOKETI_DEBUG=1
- SOKETI_DEFAULT_APP_ID=1
- SOKETI_DEFAULT_APP_KEY=keepappkey
- SOKETI_DEFAULT_APP_SECRET=keepappsecret
restart: unless-stopped`

2.nginx.conf
`server {
listen 80;
server_name 11.111.111.123;

# --- Oauth2 Proxy Auth Endpoint ---
location /oauth2/ {
    proxy_pass http://oauth2-proxy:4180;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

# --- API Docs (Public) ---
location = /openapi.json {
    proxy_pass http://keep-backend:8080;
    proxy_set_header Host $host;
}
location ~ ^/api/(swagger-ui|v3/api-docs|docs) {
    proxy_pass http://keep-backend:8080;
    proxy_set_header Host $host;

    rewrite ^/api/(.*)$ /$1 break;
}

# --- Keep API Backend (/api/) - Requires Auth ---
location /api/ {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/start?rd=$request_uri;

    auth_request_set $auth_email $sent_http_x_auth_request_email;
    proxy_set_header X-Forwarded-Email $auth_email;

    proxy_pass http://keep-backend:8080/;
    proxy_set_header Host $host;

    rewrite ^/api/(.*)$ /$1 break;
}

# --- Keep UI Frontend (/) - Requires Auth ---
location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/start?rd=$request_uri;

    auth_request_set $auth_email $sent_http_x_auth_request_email;
    proxy_set_header X-Forwarded-Email $auth_email;

    proxy_pass http://keep-frontend:3000;
    proxy_set_header Host $host;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

}`

3.oauth2-proxy.cfg
`# --- Basic Settings ---
http_address = "0.0.0.0:4180"
email_domains = [ "*" ]
proxy_prefix = "/oauth2"
redirect_url = "http://11.111.111.123:9881/oauth2/callback"

--- Nginx Auth Settings ---

set_xauthrequest = true
pass_access_token = true
pass_user_headers = true

--- Security ---

cookie_secret = "YOUR_COOKIE_SECRET"
cookie_secure = false

--- Provider (Google) ---

provider = "google"
client_id = "XXXXXX"
client_secret = "XXXXXXXX"`

[dosubot[bot]]

Hi @kyokocat2! I'm Dosu and I’m helping the keep team.

Your setup and troubleshooting steps look solid, but the redirect loop and the frontend trying to fetch /api/auth/providers in OAUTH2PROXY mode almost always means the client-side is not seeing the correct NEXT_PUBLIC_AUTH_TYPE at runtime. In Keep, the frontend should not call /api/auth/providers in OAUTH2PROXY mode—if it does, it usually means the environment variable wasn't injected at build time, or the container is running a stale build without the right env injected. This is a common pitfall with Next.js and Docker builds: environment variables like NEXT_PUBLIC_AUTH_TYPE must be present when the image is built, not just at container start, unless your image or entrypoint explicitly re-injects them at runtime [docs].

To fix this, make sure you rebuild the keep-frontend image after setting NEXT_PUBLIC_AUTH_TYPE=OAUTH2PROXY in your environment. If you’re using a prebuilt image, check if it supports runtime env injection (many don’t). If not, you’ll need to build your own image with the correct env, or use a script/entrypoint that rewrites the .env or Next.js runtime config before starting the server [docs].

Also, double-check that you set the required headers and variables: KEEP_OAUTH2_PROXY_USER_HEADER and KEEP_OAUTH2_PROXY_ROLE_HEADER on both frontend and backend, matching the headers your oauth2-proxy and nginx are forwarding (usually x-forwarded-email and x-forwarded-groups) [issue].

If you still see the loop after a clean rebuild, check your browser’s dev tools: look for NEXT_PUBLIC_AUTH_TYPE in the window.env or process.env in the frontend bundle. If it’s missing or wrong, the frontend will default to AuthJS mode and trigger the /api/auth/providers call and redirect loop.

Summary checklist:

• Rebuild the frontend image after setting NEXT_PUBLIC_AUTH_TYPE=OAUTH2PROXY.
• Ensure KEEP_OAUTH2_PROXY_USER_HEADER and KEEP_OAUTH2_PROXY_ROLE_HEADER are set and match your proxy headers.
• Confirm that the frontend is not using a stale or cached build.
• Check that NEXTAUTH_URL is set correctly at build time to your public URL.
• If using docker-compose, try docker-compose build --no-cache keep-frontend and then restart everything.

This should resolve the redirect loop and get OAuth2Proxy mode working as intended.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}