[Bug]: Cookie domain not set when using OAUTH2_PROXY_COOKIE_DOMAIN instead of --cookie-domain #3209
Description
OAuth2-Proxy Version
v7.12.0
Provider
None
Expected Behaviour
The OAUTH2_PROXY_COOKIE_DOMAIN environment variable should function identically to the --cookie-domain command-line flag, setting the cookie domain appropriately.
Current Behaviour
Description
When setting OAUTH2_PROXY_COOKIE_DOMAIN via environment variables in a Docker Compose file, the cookie is not set as expected. However, when the same value is provided directly via the command section, the cookie is set correctly.
Causing issue:
https://oauth2.example.com/oauth2/callback?code=xxx&state=xxxwhoami.example.com
403 Forbidden
Login Failed: Unable to find a valid CSRF token. Please try again.
Config
docker-compose.yml
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
container_name: oauth2-proxy
restart: always
# ==========================================
# This is commented when trying without this flag but with OAUTH2_PROXY_COOKIE_DOMAIN
command:
- --cookie-domain=.example.com
# ==========================================
env_file:
- .env
labels:
- traefik.enable=true
- traefik.http.routers.oauth2.rule=Host(`oauth2.example.com`)
- traefik.http.routers.oauth2.entrypoints=websecure
- traefik.http.routers.oauth2.tls.certresolver=myresolver
- traefik.http.middlewares.oauth-auth.forwardauth.address=http://oauth2-proxy:4180/
- traefik.http.middlewares.oauth-auth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth-auth.forwardauth.authResponseHeaders=Authorization,X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Groups,X-Auth-Request-Access-Token
- traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
networks:
web:
aliases:
- oauth2-proxy.env
OAUTH2_PROXY_UPSTREAMS=static://202
OAUTH2_PROXY_PROVIDER=oidc
OAUTH2_PROXY_OIDC_ISSUER_URL=https://sub.example.com/application/o/myApp/
OAUTH2_PROXY_CLIENT_ID=xxxx
OAUTH2_PROXY_CLIENT_SECRET=xxxx
OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
OAUTH2_PROXY_COOKIE_SECRET=xxx=
OAUTH2_PROXY_COOKIE_DOMAIN=.example.com
OAUTH2_PROXY_WHITELIST_DOMAINS=.example.com,example.com
OAUTH2_PROXY_COOKIE_SECURE=true
OAUTH2_PROXY_COOKIE_SAMESITE=none
OAUTH2_PROXY_COOKIE_REFRESH=5m
OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=false
OAUTH2_PROXY_COOKIE_CSRF_EXPIRE=5m
OAUTH2_PROXY_SESSION_STORE_TYPE=cookie
OAUTH2_PROXY_REDIRECT_URL=https://sub.example.com/oauth2/callback
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_SCOPE=openid email profile
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_PASS_USER_HEADERS=true
OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_PASS_HOST_HEADER=true
OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
OAUTH2_PROXY_LOGGING_LEVEL=info
Result without --cookie-domain
docker logs oauth2-proxy
[2025/09/25 20:41:22] [provider.go:55] Performing OIDC Discovery...
[2025/09/25 20:41:23] [oauthproxy.go:182] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite:none refresh:after 5m0s
domains has no value
Result with --cookie-domain
docker logs oauth2-proxy
[2025/09/25 20:42:54] [provider.go:55] Performing OIDC Discovery...
[2025/09/25 20:42:56] [oauthproxy.go:182] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains:.example.com path:/ samesite:none refresh:after 5m0s
domains has the correct value
Steps To Reproduce
Prerequisites
My identity-provider: Authentik
- Docker version 27.3.1, build ce12230
- Docker Compose version v2.29.7
- oauth2-proxy v7.12.0 (built with go1.24.6)
- traefik:v3.2.0
Linux raspberrypi 6.6.51+rpt-rpi-2712 #1 SMP PREEMPT Debian 1:6.6.51-1+rpt3 (2024-10-08) aarch64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
.env
OAUTH2_PROXY_UPSTREAMS=static://202
OAUTH2_PROXY_PROVIDER=oidc
OAUTH2_PROXY_OIDC_ISSUER_URL=https://sub.example.com/application/o/myApp/
OAUTH2_PROXY_CLIENT_ID=xxxx
OAUTH2_PROXY_CLIENT_SECRET=xxxx
OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
OAUTH2_PROXY_COOKIE_SECRET=<secret>
OAUTH2_PROXY_COOKIE_DOMAIN=.example.com
OAUTH2_PROXY_WHITELIST_DOMAINS=.example.com,example.com
OAUTH2_PROXY_COOKIE_SECURE=true
OAUTH2_PROXY_COOKIE_SAMESITE=none
OAUTH2_PROXY_COOKIE_REFRESH=5m
OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=false
OAUTH2_PROXY_COOKIE_CSRF_EXPIRE=5m
OAUTH2_PROXY_SESSION_STORE_TYPE=cookie
OAUTH2_PROXY_REDIRECT_URL=https://sub.example.com/oauth2/callback
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_SCOPE=openid email profile
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_PASS_USER_HEADERS=true
OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_PASS_HOST_HEADER=true
OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
OAUTH2_PROXY_LOGGING_LEVEL=infodocker-compose.yml
version: '3.9'
services:
# Traefik
traefik:
image: traefik:v3.2.0
container_name: traefik
restart: always
env_file:
- .traefik.env
command:
- --api=true
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=web
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.myresolver.acme.email=you@example.com
- --certificatesresolvers.myresolver.acme.storage=/srv/authority/acme.json
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh
ports:
- 80:80
- 443:443
volumes:
- /srv/authority:/srv/authority
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
- traefik.enable=true
- traefik.http.routers.traefik-dashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.traefik-dashboard.entrypoints=websecure
- traefik.http.routers.traefik-dashboard.tls.certresolver=myresolver
- traefik.http.routers.traefik-dashboard.service=api@internal
- traefik.http.routers.traefik-dashboard.middlewares=oauth-auth@docker
networks:
web:
aliases:
- traefik
# Whoami
whoami:
image: traefik/whoami
container_name: whoami
restart: always
labels:
- traefik.enable=true
- traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
- traefik.http.routers.whoami.entrypoints=websecure
- traefik.http.routers.whoami.tls.certresolver=myresolver
- traefik.http.routers.whoami.middlewares=oauth-auth@docker
- traefik.http.services.whoami.loadbalancer.server.port=80
networks:
web:
aliases:
- whoami
# OAuth2 Proxy
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0-arm64
container_name: oauth2-proxy
restart: always
env_file:
- .oauth2-proxy.env
labels:
- traefik.enable=true
- traefik.http.routers.oauth2.rule=Host(`oauth2.example.com`)
- traefik.http.routers.oauth2.entrypoints=websecure
- traefik.http.routers.oauth2.tls.certresolver=myresolver
- traefik.http.middlewares.oauth-auth.forwardauth.address=http://oauth2-proxy:4180/
- traefik.http.middlewares.oauth-auth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth-auth.forwardauth.authResponseHeaders=Authorization,X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Groups,X-Auth-Request-Access-Token
- traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180
networks:
web:
aliases:
- oauth2-proxy
networks:
web:
external: true
driver: bridgedocker compose up -d
docker logs oauth2-proxyPossible Solutions
A temporary workaround is to specify the cookie domain directly in the command section of the Docker Compose file, like so:
docker-compose.yml
services:
oauth2-proxy:
command:
- --cookie-domain=.example.comInstead of OAUTH2_PROXY_COOKIE_DOMAIN
Configuration details or additional information
No response