Difference between revisions of "SSO - Single Sign On"
Jump to navigation
Jump to search
Line 14: | Line 14: | ||
* <code>skip-jwt-bearer-tokens</code> is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes. | * <code>skip-jwt-bearer-tokens</code> is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes. | ||
* <code>email-domains</code> must be <code>*</code> for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory. | * <code>email-domains</code> must be <code>*</code> for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory. | ||
= Resources = | |||
* [https://github.com/unfor19/kubernetes-localdev#deploy-oauth2-proxy-and-protect-an-application Kubernetes Hands-On Self-Paced Course] OAuth+OIDC |
Latest revision as of 23:13, 23 September 2021
SSO (Reverse Proxy) Architecture
Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)
Example implementations:
oauth2-proxy reverse proxy
oidc-issuer-url
must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.client-id
needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.cookie-secret
and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.skip-jwt-bearer-tokens
is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.email-domains
must be*
for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.
Resources
- Kubernetes Hands-On Self-Paced Course OAuth+OIDC