Difference between revisions of "SSO - Single Sign On"
Jump to navigation
Jump to search
Line 5: | Line 5: | ||
Example implementations: | Example implementations: | ||
* [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] | * [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] | ||
== [https://github.com/oauth2-proxy/oauth2-proxy oauth2-proxy] reverse proxy == | |||
:[[File:ClipCapIt-210923-220444.PNG]] | |||
* <code>oidc-issuer-url</code> must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured. | |||
* <code>client-id</code> needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details. | |||
* <code>cookie-secret</code> and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data. | |||
* <code>skip-jwt-bearer-tokens</code> is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes. | |||
* <code>email-domains</code> must be <code>*</code> for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory. |
Revision as of 23:09, 23 September 2021
SSO (Reverse Proxy) Architecture
Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)
Example implementations:
oauth2-proxy reverse proxy
oidc-issuer-url
must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.client-id
needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.cookie-secret
and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.skip-jwt-bearer-tokens
is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.email-domains
must be*
for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.