400 Bad Request authorization error

franklin · June 13, 2025, 9:28am

What happened?

I tried to secure an applications with pomerium but am getting a 400 Bad request page after defining my email and password. I have uploaded an image showing the same

What did you expect to happen?

I was expecting to be directed to the service I had defined in the routes configs and access the page successfully

How’d it happen?

I used yaml deployment files to define proxy, authenticate, authorize and databroker. The I applied the all the files together with the ingresses because am using an external ingress controller.

What’s your environment like?

Pomerium version (pomerium:latest image`):
Azure kubernetes cluster

What’s your config.yaml?

# Paste your configs here
# Be sure to scrub any sensitive values
```   XXXXXXXXXXXXXXXXXXX AUTHENTICATE CONFIGS XXXXXXXXXXXXXXXXXXXX
    authenticate_service_url: "https://authenticate.pomerium.staging.kenya.co"
    idp_provider: "azure"
    idp_client_id: "XXXXX"
    idp_client_secret: "XXXXX"
    idp_provider_url: "https://login.microsoftonline.com/XXX/v2.0"
    idp_scopes: ["openid", "email", "profile"]
    cookie_domain: ".pomerium.staging.kenya.co"
    #shared_secret: "XXX"
    cookie_secret: "XXX"
    databroker_storage_connection_string: "redis://redis-cluster-ip-service.staging.svc.cluster.local:6379/0"
    insecureProxy: true
    certificate_file: "/etc/pomerium/tls/tls.crt"
    certificate_key_file: "/etc/pomerium/tls/tls.key"

xxxxxxxxxxxxx  PROXY CONFIGS XXXXXXXXXXXXX

 
    authenticate_service_url: "https://authenticate.pomerium.staging.kenya.co"
    authorize_service_url: "https://pomerium-authorize.staging.svc.cluster.local:443"
    #databroker_storage_connection_string: "redis://redis-cluster-ip-service.staging.svc.cluster.local:6379/0"
    databroker_service_url: "https://pomerium-databroker.staging.svc.cluster.local"
    cookie_domain: ".pomerium.staging.kenya.co"
    shared_secret: "xxxxxxx"
    cookie_secret: "xxxxx"
    insecureProxy: true
    certificate_file: "/etc/pomerium/tls/tls.crt"
    certificate_key_file: "/etc/pomerium/tls/tls.key"
    routes:
      - from: "https://prometheus.pomerium.staging.kenya.co"
        to: "http://prometheus-server.staging.svc.cluster.local:80"
        preserve_host_header: true
        policy:
          - allow:
              or:
                - email:
                    is: frank.mogaka@prom.co.ke
## What did you see in the logs?

```logs
# Paste your logs here.
# Be sure to scrub any sensitive values
```{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","service":"authorize","request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","check-request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","method":"GET","path":"/.pomerium/favicon.ico","host":"authenticate.pomerium.staging.kenya.co","ip":"10.244.4.70","user":"","email":"","allow":true,"allow-why-true":["pomerium-route"],"deny":false,"deny-why-false":[],"time":"2025-06-13T08:44:50Z","message":"authorize check"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","grpc.service":"envoy.service.auth.v3.Authorization","grpc.method":"Check","grpc.code":"OK","grpc.duration":0.293559,"time":"2025-06-13T08:44:50Z","message":"finished call"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"authenticate.pomerium.staging.kenya.co","path":"/.pomerium/favicon.ico","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","referer":"https://authenticate.pomerium.staging.kenya.co/.pomerium/sign_in","forwarded-for":"105.29.166.162,10.244.4.70","request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","duration":1.893317,"size":1808,"response-code":200,"response-code-details":"via_upstream","time":"2025-06-13T08:44:51Z","message":"http-request"}
## Additional context
Kindly note that when I access only the URL for authenticate (https://authenticate.pomerium.staging.kenya.co/), I sign in successfully and even gives all the user details. The problem comes when I start from prometheus.pomerium.staging.kenya.co and signing with email successfully. 
Add any other context about the problem here.

franklin · June 13, 2025, 9:52am

Kindly help me this thing is eating my head. I think am stuck on the last step

denis · June 16, 2025, 3:35pm

are you running pomerium in split mode? this is extremely advanced mode that is only reserved for special deployments with direct support from us. please kindly use recommended all-in-one deployment mode.
are you running pomerium in kubernetes, please use ingress controller mode.
please provide the log for the request itself. please note the request-id in the error screenshot - the log snipped you provided is not for the the request you presented so I do not see the underlying error.

Topic		Replies	Views
ERR_TOO_MANY_REDIRECTS after authenticating (Pomerium + IDP (Okta, Github or Azure AD) Support k8s	2	186	April 22, 2024
Pomerium sync error: no healthy upstream Support k8s	3	600	January 12, 2023
Pomerium is not working Support	1	453	March 13, 2023
Websocket connections forbidden 403 Support	5	474	November 12, 2022
Getting connection_failure errors Support	12	1588	March 23, 2022