Emissary ingress and Ambassador support the ExtAuth service. This project can serve as an Auth module. All requests go through it. All unauthenticated users are redirected to identity providers such as Auth0 etc.
Ambassador-Auth-OIDC offers OpenID Connect support as Ambassador API Gateway's AuthService manifest.
OpenID Connect (OIDC) is an authentication layer on top of the OAuth 2.0 protocol. As OAuth 2.0 is fully supported by OpenID Connect, existing OAuth 2.0 implementations work with it out of the box.
Currently it only supports OIDC's Authorization Code Flow, similar to OAuth 2.0 Authorization Code Grant. No immediate plan exists to support implicit or hybrid flows, but pull requests are more than welcome!
Following environment variables are used by the software.
Compulsary
- OIDC_PROVIDER URL to your OIDC provider, for example: https://you.eu.auth0.com/
- OIDC_SCOPES OIDC scopes wanted for userinfo, for example: "profile email"
- CLIENT_ID Client id for your application (given by your OIDC provider)
- CLIENT_SECRET Client secret for your application
- REDIS_ADDRESS Address for your Redis instance, IP or hostname
Optional
- REDIS_PASSWORD Password for your Redis instance
- PORT Port to listen for requests. Default is 8080.
- JWT_HMAC_SECRET HMAC secret key for creating JSON Web Tokens. Must be at least 64 characters long. If smaller or not existing, a random one will be created.
- LOGOUT_COOKIE Set to 'true' if you want to wipe the old cookie when logging out. This causes the browser to re-login next time your application is visited. Default is not enabled.
- COOKIE_NAME Name of cookie to set after success auth. Default "auth"
- BASIC_AUTH Space separated list of user:password pairs
export BASIC_AUTH="wally:eve2198."to allow access without cookie. Default "" - LOGIN_URL, LOGOUT_URL Urls for initiate login/logout. Default
/login/oidcand/logout/oidc
If you haven't already, start Ambassador using the official instructions.
After Ambassador is up and running, create secrets and start ExtAuth component with following podspec.
kubectl create secret generic ambassador-auth-oidc-ambassador-auth-jwt-key --from-literal=jwt-key=$(openssl rand -base64 64|tr -d '\n ')
kubectl create secret generic k8s-secret-name-with-my-auth0secret-key --from-literal=client-secret=YOUR_OIDC_CLIENT_SECRET
helm install ambassador-auth-oidc helm-cahrt/ambassador-auth-oidc --values helm-cart/values.yml
An example specs of auth-deployment and auth-service can be found from the misc folder.
Fetch dependencies, build the binary and run it.
cd /path/to/code
go get ./...
go build
./ambassador-auth-oidc
Start the container with docker run.
docker run -p 8080:8080 -e OIDC_PROVIDER="https://your-oidc-provider/" -e SELF_URL="http://your-server.com:8080" -e OIDC_SCOPES="profile email" -e CLIENT_ID="YOUR_CLIENT_ID" -e CLIENT_SECRET="YOUR_CLIENT_SECRET" -e REDIS_ADDRESS="redis:6379" -e REDIS_PASSWORD="YOUR_REDIS_PASSWORD" ghcr.io/atolia/ambassador-auth-oidc
This project forked from ajmyyra/ambassador-auth-oidc