Latest revision as of 23:13, 23 September 2021

SSO (Reverse Proxy) Architecture

Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)

Example implementations:

oidc-issuer-url must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.
client-id needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.
cookie-secret and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.
skip-jwt-bearer-tokens is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.
email-domains must be * for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.

@@ Line 14: / Line 14: @@
 * <code>skip-jwt-bearer-tokens</code> is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.
 * <code>email-domains</code> must be <code>*</code> for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.
+= Resources =
+* [https://github.com/unfor19/kubernetes-localdev#deploy-oauth2-proxy-and-protect-an-application Kubernetes Hands-On Self-Paced Course] OAuth+OIDC