SSO - Single Sign On

From Ever changing code
Revision as of 22:13, 23 September 2021 by Pio2pio (talk | contribs) (→‎oauth2-proxy reverse proxy)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

SSO (Reverse Proxy) Architecture

Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)

ClipCapIt-210922-135600.PNG

Example implementations:

oauth2-proxy reverse proxy

ClipCapIt-210923-220444.PNG
  • oidc-issuer-url must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.
  • client-id needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.
  • cookie-secret and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.
  • skip-jwt-bearer-tokens is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.
  • email-domains must be * for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.

Resources