Difference between revisions of "SSO - Single Sign On"
Jump to navigation
Jump to search
(Created page with "== SSO (Reverse Proxy) Architecture == :File:ClipCapIt-210922-135600.PNG Example implementations: * [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy]") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== SSO (Reverse Proxy) Architecture == | == SSO (Reverse Proxy) Architecture == | ||
Browser goes to URL(1), via rev-proxy gets redirected to IdP(2) | |||
:[[File:ClipCapIt-210922-135600.PNG]] | :[[File:ClipCapIt-210922-135600.PNG]] | ||
Example implementations: | Example implementations: | ||
* [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] | * [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] | ||
== [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] reverse proxy == | |||
:[[File:ClipCapIt-210923-220444.PNG]] | |||
* <code>oidc-issuer-url</code> must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured. | |||
* <code>client-id</code> needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details. | |||
* <code>cookie-secret</code> and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data. | |||
* <code>skip-jwt-bearer-tokens</code> is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes. | |||
* <code>email-domains</code> must be <code>*</code> for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory. | |||
= Resources = | |||
* [https://github.com/unfor19/kubernetes-localdev#deploy-oauth2-proxy-and-protect-an-application Kubernetes Hands-On Self-Paced Course] OAuth+OIDC | |||
Latest revision as of 23:13, 23 September 2021
SSO (Reverse Proxy) Architecture
Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)
Example implementations:
oauth2-proxy reverse proxy
oidc-issuer-urlmust match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.client-idneeds to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.cookie-secretand client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.skip-jwt-bearer-tokensis what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.email-domainsmust be*for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.
Resources
- Kubernetes Hands-On Self-Paced Course OAuth+OIDC