The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

SSO (Reverse Proxy) Architecture

Browser goes to URL(1), via rev-proxy gets redirected to IdP(2)

Example implementations:

oauth2-proxy

oauth2-proxy reverse proxy

oidc-issuer-url must match the issuer (iss) claim in your tokens. This is where you are hosting the public OIDC discovery documents you configured.
client-id needs to match the audience (aud) claim in your tokens. You set the audience in the Pod spec in the projected volume details.
cookie-secret and client-secret don’t matter for machine users. But they have to be set for OAuth2-Proxy to start up. Just set them with junk data.
skip-jwt-bearer-tokens is what allows OAuth2-Proxy to verify ID Tokens in a bearer header directly. Otherwise it would look for a session cookie for authorization purposes.
email-domains must be * for Kubernetes machine users support. If you glance above at the decoded contents of a projected token payload, you’ll notice there’s no email claim. Hence the * is mandatory.

Resources

Kubernetes Hands-On Self-Paced Course OAuth+OIDC

SSO - Single Sign On

SSO (Reverse Proxy) Architecture

oauth2-proxy reverse proxy

Resources

Navigation menu

SSO - Single Sign On

SSO (Reverse Proxy) Architecture

oauth2-proxy reverse proxy

Resources

Navigation menu

Search