-
-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
Ivan Josipovic edited this page Mar 6, 2024
·
13 revisions
Use this approach if you configure oidc-guard as a dedicated endpoint
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: https://oidc-guard.company.com/auth?aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
nginx.ingress.kubernetes.io/auth-signin: https://oidc-guard.company.com/signin
spec:
To only validate JWT, you can remove the nginx.ingress.kubernetes.io/auth-signin
annotation.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: https://oidc-guard.company.com/auth?aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
spec:
https://github.com/IvanJosipovic/OIDC-Guard/blob/main/charts/oidc-guard/values.yaml#L17-L114
In order to use OIDC-Guard with the Google IAP, you need to set the JWKSUrl, authorizationHeader, prependBearer and validIssuers settings.
settings:
# Skip Authentication for CORS Preflight requests
# https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
skipAuthPreflight: false
# Set host for http redirect used in the sign-in process
# When not set will use the apps hostname
host: ""
# Set scheme for http redirect used in the sign-in process (http or https)
# When not set, will accept X-Forwarded-Proto
scheme: ""
# Log Level(Trace, Debug, Information, Warning, Error, Critical, and None)
logLevel: Information
cookie:
# Enable Cookie based Authentication
enable: false
JWT:
# Enable JWT based Authentication
enable: true
# Sets the JSON Web Key Set and ignores the openIdProviderConfigurationUrl
# Make sure to set the validIssuers property
JWKSUrl: "https://www.gstatic.com/iap/verify/public_key-jwk"
# Sets Authorization header name, if not set "Authorization" will be used
authorizationHeader: "x-goog-iap-jwt-assertion"
# Accept token from the access_token Query Parameter
# https://datatracker.ietf.org/doc/html/rfc6750#section-2.3
enableAccessTokenInQueryParameter: false
# Prepend "Bearer " to the Authorization header if its missing
prependBearer: true
# Control if the audience will be validated during JWT token validation.
# Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another site.
# This value can be validated at the Ingress level using /auth?aud=00000000-0000-0000-0000-000000000000
validateAudience: false
# Set valid audiences for JWT validation
validAudiences: []
# - 11111111-1111-1111-1111-111111111111
# Control if the issuer will be validated during JWT token validation.
# Validation of the issuer mitigates forwarding attacks that can occur when an
# Identity Provider represents multiple tenants and signs tokens with the same keys.
# It is possible that a token issued for the same audience could be from a different tenant.
validateIssuer: true
# Set valid issuers replacing the one found in the settings.openIdProviderConfigurationUrl
validIssuers:
- https://cloud.google.com/iap