looping to login page after azure oidc authenticate successfully

[ChuckPerry]

Summary
kubeapps return to login page after oauth azure id success authentication.

Background and rationale

Running environment ==> AKS
helm chart version: bitnami/kubeapps:17.0.3
web controller: cloudflare

Description
I cannot login the kubeapps. but I can see my user account has been authenticated successfully. and there's no error log in kubeapps.

Acceptance criteria

azureststest01@E-5CG234278R:~/kubeapps$ kubectl get pod -n kubeapp
NAME                                                          READY   STATUS      RESTARTS        AGE
apprepo-kubeapp-sync-bitnami-28905700-8t677                   0/1     Completed   0               25m
apprepo-kubeapp-sync-bitnami-28905710-f42fq                   0/1     Completed   0               15m
apprepo-kubeapp-sync-bitnami-28905720-whlt9                   0/1     Completed   0               5m3s
cloudflared-6b5fc5f88-59mb4                                   1/1     Running     0               3d14h
cloudflared-6b5fc5f88-8vghn                                   1/1     Running     0               4d7h
kubeapp-postgresql-0                                          1/1     Running     0               4d3h
kubeapp-redis-master-0                                        1/1     Running     0               4d7h
kubeapps-595b7dd65f-6j6nh                                     2/2     Running     0               99m
kubeapps-595b7dd65f-n6fcm                                     2/2     Running     0               99m
kubeapps-internal-apprepository-controller-7d4fd6d774-fggj9   1/1     Running     0               4d7h
kubeapps-internal-apprepository-controller-7d4fd6d774-v9r2p   1/1     Running     0               3d14h
kubeapps-internal-dashboard-64d587f854-bmclf                  1/1     Running     0               7h33m
kubeapps-internal-dashboard-64d587f854-xwcwd                  1/1     Running     0               7h33m
kubeapps-internal-kubeappsapis-f656856cd-ds9r2                1/1     Running     0               4d7h
kubeapps-internal-kubeappsapis-f656856cd-gvzsx                1/1     Running     0               3d14h

Additional context

helm chat values

authProxy:
  enabled: true
  image:
    registry: docker.io
    repository: bitnami/oauth2-proxy
    tag: 7.6.0-debian-12-r21
    digest: ""
    pullPolicy: IfNotPresent
    pullSecrets: []
  external: false
  oauthLoginURI: /oauth2/start
  oauthLogoutURI: /oauth2/sign_out
  skipKubeappsLoginPage: false
  provider: "oidc"
  clientID: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  clientSecret: "xxxxxxxxxxxxxxxxxxxxx"
  cookieSecret: "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
  existingOauth2Secret: ""
  cookieRefresh: 2m
  scope: "email openid User.Read"
  emailDomain: "*"
  extraFlags:
    - --oidc-issuer-url=https://login.microsoftonline.com/92e84ceb-xxxxxxxxxxxxxxxxxxxxxxx/v2.0
    - --session-store-type=redis
    - --redis-connection-url=redis://kubeapp-redis-master.kubeapp
    - --show-debug-on-error=true
    - --errors-to-info-log=true
    - --cookie-secure=true
    - --redirect-url=https://xxxxxxxxxxxxxxxxxx.com/oauth2/callback
  lifecycleHooks: {}
  command: []
  args: []
  extraEnvVars: []
  extraEnvVarsCM: ""
  extraEnvVarsSecret: ""
  extraVolumeMounts: []
  containerPorts:
    proxy: 3000
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    seccompProfile:
      type: "RuntimeDefault"
  resourcesPreset: "micro"
  resources: {}

the auth-proxy output

azureststest01@E-5CG234278R:~/kubeapps$ kubectl logs -f -n kubeapp -l app.kubernetes.io/component=frontend -c auth-proxy

10.244.1.55:40546 - 16571b71-7d6e-4c7f-be9a-a7f8830f4a1e - - [2024/12/16 09:47:23] kubeapps@[my-org] GET - "/oauth2/start" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 302 411 0.000
10.244.1.55:40546 - e6e1e163-2c73-4871-b86e-168d9939e762 - kubeapp@[my-org] [2024/12/16 09:47:27] [AuthSuccess] Authenticated via OAuth2: Session{email:kubeapps@[my-org] user:58SWTmVh6cp9TrR2f-A6UP5uXhziA PreferredUsername: token:true id_token:true created:2024-12-16 09:47:27.27009189 +0000 UTC m=+4938.552312751 expires:2024-12-16 11:07:51.020408263 +0000 UTC m=+9762.302629224}
10.244.1.55:40546 - e6e1e163-2c73-4871-b86e-168d9939e762 - - [2024/12/16 09:47:26] kubeapps.[my-org] GET - "/oauth2/callback?code=1.xxxxxxxxxxxxxxxxxxxxxxxxxxxx" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 302 24 1.215
10.244.1.55:40546 - 0f0b9e37-e35a-4b04-b227-2eaffedbb50a - kubeapp@[my-org] [2024/12/16 09:47:27] kubeapps@[my-org] GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 200 208 0.003
10.244.1.55:40546 - 0eac4af9-fd18-4e11-890c-548034944c50 - kubeapp@[my-org] [2024/12/16 09:47:30] kubeapps@[my-org] GET / "/config.json" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 200 678 0.003
10.244.1.55:40546 - 3bafcbc5-f459-4c50-8cc7-0fb74625b397 - kubeapp@[my-org] [2024/12/16 09:47:30] kubeapps@[my-org] GET / "/custom_locale.json" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 200 2 0.046
10.244.1.55:40546 - 65349ca8-8c02-430e-96ce-20c6227f9842 - kubeapp@[my-org] [2024/12/16 09:47:31] kubeapps@[my-org] GET / "/favicon.ico" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 304 0 0.004
10.244.1.55:40546 - ae7dc090-3bfd-41fb-ae9f-169a214fa5f2 - kubeapp@[my-org] [2024/12/16 09:47:31] kubeapps@[my-org] POST / "/apis/kubeappsapis.core.plugins.v1alpha1.PluginsService/GetConfiguredPlugins" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 200 92 0.002
10.244.1.55:40546 - c9e08271-8526-46bc-b019-0a519600ef42 - kubeapp@[my-org] [2024/12/16 09:47:31] kubeapps@[my-org] POST / "/apis/kubeappsapis.plugins.resources.v1alpha1.ResourcesService/CheckNamespaceExists" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0" 200 0 0.103

token

"iss": "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxx/v2.0",
  "iat": 1734075588,
  "nbf": 1734075588,
  "exp": 1734079488,
  "_claim_names": {
    "groups": "src1"
  },
  "_claim_sources": {
    "src1": {
      "endpoint": "https://graph.windows.net/xxxxxxxxxxxxxxxxxxxx/users/00000000-0000-0000-0000-000000000000/getMemberObjects"
    }
  },
  "aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "email": "kubeapp@[my-org]",
  "rh": "1.AREA60zokv37q0e-UggMa4eVPwFib25Vo6FIrfjKRQMBvxARABcRAA.",
  "sub": "58SWTmVh6cp9TILf5XU1U64atpsrR2f-A6UP5uXhziA",
  "tid": "xxxxxxxxxxxxxxxxxxxx",
  "uti": "v3web9Qor0WYd2oy_HoKAA",
  "ver": "2.0",
  "wids": [
    "xxxxxxxxxxxxxxxxxxxxx"
  ]
}

Others

I had tried different Azure App Reg, but same issue even through the App Reg is good for other apps.

[ChuckPerry]

I found there's a error throw from web browser

not sure if this is the root cause.