400 Bad Request authorization error

,

What happened?

I tried to secure an applications with pomerium but am getting a 400 Bad request page after defining my email and password. I have uploaded an image showing the same

What did you expect to happen?

I was expecting to be directed to the service I had defined in the routes configs and access the page successfully

How’d it happen?

I used yaml deployment files to define proxy, authenticate, authorize and databroker. The I applied the all the files together with the ingresses because am using an external ingress controller.

What’s your environment like?

  • Pomerium version (pomerium:latest image`):
  • Azure kubernetes cluster

What’s your config.yaml?

# Paste your configs here
# Be sure to scrub any sensitive values
```   XXXXXXXXXXXXXXXXXXX AUTHENTICATE CONFIGS XXXXXXXXXXXXXXXXXXXX
    authenticate_service_url: "https://authenticate.pomerium.staging.kenya.co"
    idp_provider: "azure"
    idp_client_id: "XXXXX"
    idp_client_secret: "XXXXX"
    idp_provider_url: "https://login.microsoftonline.com/XXX/v2.0"
    idp_scopes: ["openid", "email", "profile"]
    cookie_domain: ".pomerium.staging.kenya.co"
    #shared_secret: "XXX"
    cookie_secret: "XXX"
    databroker_storage_connection_string: "redis://redis-cluster-ip-service.staging.svc.cluster.local:6379/0"
    insecureProxy: true
    certificate_file: "/etc/pomerium/tls/tls.crt"
    certificate_key_file: "/etc/pomerium/tls/tls.key"

xxxxxxxxxxxxx  PROXY CONFIGS XXXXXXXXXXXXX

 
    authenticate_service_url: "https://authenticate.pomerium.staging.kenya.co"
    authorize_service_url: "https://pomerium-authorize.staging.svc.cluster.local:443"
    #databroker_storage_connection_string: "redis://redis-cluster-ip-service.staging.svc.cluster.local:6379/0"
    databroker_service_url: "https://pomerium-databroker.staging.svc.cluster.local"
    cookie_domain: ".pomerium.staging.kenya.co"
    shared_secret: "xxxxxxx"
    cookie_secret: "xxxxx"
    insecureProxy: true
    certificate_file: "/etc/pomerium/tls/tls.crt"
    certificate_key_file: "/etc/pomerium/tls/tls.key"
    routes:
      - from: "https://prometheus.pomerium.staging.kenya.co"
        to: "http://prometheus-server.staging.svc.cluster.local:80"
        preserve_host_header: true
        policy:
          - allow:
              or:
                - email:
                    is: frank.mogaka@prom.co.ke
## What did you see in the logs?

```logs
# Paste your logs here.
# Be sure to scrub any sensitive values
```{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","service":"authorize","request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","check-request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","method":"GET","path":"/.pomerium/favicon.ico","host":"authenticate.pomerium.staging.kenya.co","ip":"10.244.4.70","user":"","email":"","allow":true,"allow-why-true":["pomerium-route"],"deny":false,"deny-why-false":[],"time":"2025-06-13T08:44:50Z","message":"authorize check"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","grpc.service":"envoy.service.auth.v3.Authorization","grpc.method":"Check","grpc.code":"OK","grpc.duration":0.293559,"time":"2025-06-13T08:44:50Z","message":"finished call"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"server_name":"all","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"authenticate.pomerium.staging.kenya.co","path":"/.pomerium/favicon.ico","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","referer":"https://authenticate.pomerium.staging.kenya.co/.pomerium/sign_in","forwarded-for":"105.29.166.162,10.244.4.70","request-id":"c5eb9cbb-b058-43e0-89a7-816d005dd8ce","duration":1.893317,"size":1808,"response-code":200,"response-code-details":"via_upstream","time":"2025-06-13T08:44:51Z","message":"http-request"}
## Additional context
Kindly note that when I access only the URL for authenticate (https://authenticate.pomerium.staging.kenya.co/), I sign in successfully and even gives all the user details. The problem comes when I start from prometheus.pomerium.staging.kenya.co and signing with email successfully. 
Add any other context about the problem here.

Kindly help me this thing is eating my head. I think am stuck on the last step

  1. are you running pomerium in split mode? this is extremely advanced mode that is only reserved for special deployments with direct support from us. please kindly use recommended all-in-one deployment mode.
  2. are you running pomerium in kubernetes, please use ingress controller mode.
  3. please provide the log for the request itself. please note the request-id in the error screenshot - the log snipped you provided is not for the the request you presented so I do not see the underlying error.

I have tried installing with helm and here is my values.yaml that I used

What’s your values.yaml?

# Pomerium Helm chart configuration
image:
  repository: pomerium/pomerium
  tag: latest
  pullPolicy: IfNotPresent

# Enable Ingress Controller mode
ingressController:
  enabled: true
  operatorMode: true
  ingressClass:
    name: pomerium
    controllerValue: "pomerium.io/ingress-controller"
  ingressClassResource:
    defaultCertSecret: pomerium-staging-kenya-co  

redis:
  enabled: false
  #generateTLS: true


service.staging.svc.cluster.local:6379/0'
config:
  rootDomain: "pomerium.staging.kenya.co"
  generateTLS: true
  sharedSecret: "xxx"
  cookieSecret: "xxx"
  insecureProxy: true
  databrokerStorageConnectionString: "redis://redis-cluster-ip-service.staging.svc.cluster.local:6379/0"
  tls_skip_verify: true
    #existingSecret: "pomerium-staging-kenya-co"

authenticate:
  url: "https://authenticate.pomerium.staging.kenya.co"
  idp:
    provider: azure
    clientID: "xxx" 
    clientSecret: "xxx"
    url: "https://login.microsoftonline.com/xxx/v2.0"
    callbackURL: "https://authenticate.pomerium.staging.kenya.co/oauth2/callback"


  ingress:
    enabled: true
      #className: pomerium 
    annotations:
      kubernetes.io/ingress.class: pomerium 
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/ssl-verify: "false"
    hosts:
      - host: "authenticate.pomerium.staging.kenya.co"
        paths:
          - path: /
            pathType: Prefix
    tls:
      secretName: "pomerium-staging-kenya-co"
    hosts:
      - "authenticate.pomerium.staging.kenya.co"


# No global routes; define policies in Ingress resources
  routes: []

 #ingress:
 #enabled: false

proxy:
  service:
    type: ClusterIP

With this all the services and the ingress controller is created

Am trying to secure a Jupyternotebook and the only problem am having is that am not able to access the host url (authenticate.pomerium.staging.kenya.co) or even the ingress url for the jupyternotebook as define below

What’s your ingress.yaml?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: jnyamburi-applications-0-pomerium-ingress
  namespace: staging
  annotations:
    ingress.pomerium.io/policy: |
      - allow:
          or:
            - user:
                is: XX
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
  ingressClassName: pomerium
  rules:
  - host: jnyamburi-applications-0.staging.kenya.co
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: jnyamburi-applications-0-service
            port:
              number: 8888
  tls:
  - hosts:
    - jnyamburi-applications-0.staging.kenya.co
    secretName: staging-kenya-co

Databroker Logs?

{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","service":"databroker","config":"databroker","checksum":"5d7f917b0d62e5fb","time":"2025-06-23T09:29:44Z","message":"config: updated config"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","hash":3218169188651575581,"time":"2025-06-23T09:29:44Z","message":"config/filewatchersource: underlying config change, triggering update"}
{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","time":"2025-06-23T09:29:44Z","message":"metrics: http server disabled"}
{"level":"error","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","error":"error receiving sync record: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: NO_ERROR","time":"2025-06-23T09:39:44Z","message":"sync"}

Kindly note earlier it was using an external nginx ingress controller.