Skip to main content

What's changing?

We're updating our platform's authentication setup. The only visible change is a switch in which headers carry user identity information. Today, if you have set the setXAuthRequestHeaders property to true in radixconfig.yaml, your application receives both X-Auth-Request-* and X-Forwarded-* identity headers like:

  • X-Auth-Request-User
  • X-Forwarded-User

After migrating to the new setup, only X-Forwarded-* headers will remain.

info

For now you can choose to opt-in to this change, but this migration will be enforced for all applications in two weeks on February 16th.

Why this change is happening

Ingress-nginx, our current ingress controller, will be retired in March 2026. To prepare for this, we're upgrading our infrastructure to use a new ingress controller called Istio, which will improve performance and reliability.

This upgrade requires us to update how OAuth2Proxy operates. Currently, it relies on nginx-specific directives that are not compatible with Istio. To make it compatible with our new infrastructure, we're moving the OAuth2Proxy from sidecar mode to proxy mode. As a side effect of this architectural change, the headers carrying user information will change from X-Auth-Request-* to X-Forwarded-* headers.

What do you need to do?

If you have not set the setXAuthRequestHeaders property (or set it to false), you do not have to do anything. If you have set it to true and your application reads user information from request headers, update it to use X-Forwarded-* instead of X-Auth-Request-*. Currently both header types are available. This is the only required code change.

How to enable the new header format (opt-in)

Currently both header formats exist (with the same values), so you can safely test before opting in. You choose when to switch by adding the radix.equinor.com/preview-oauth2-proxy-mode annotation to your radixconfig.yaml file. The value for this annotation is a comma-separated list of environments where you want to enable proxy mode. You can also set a wildcard (*) to cover all environments.

Important

After adding the annotation you need to deploy your application to the affected environments again.

apiVersion: radix.equinor.com/v1
kind: RadixApplication
metadata:
  name: my-app
  annotations:
    radix.equinor.com/preview-oauth2-proxy-mode: "dev,qa"

What to expect during the switch

There may be a couple of seconds of downtime during the switch. After the switch, Only X-Forwarded-* headers remain. No changes to login flow, authentication prompts, or tokens.

Summary

You need to:

  • Update your app to read X-Forwarded-* headers
  • Add the opt‑in annotation when ready
  • Redeploy your application