Skip to content

Configuration

Jump to bottom
Ivan Josipovic edited this page Mar 6, 2024 · 13 revisions

Configure Ingress

Use this approach if you configure oidc-guard as a dedicated endpoint

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oidc-guard.company.com/auth?aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
    nginx.ingress.kubernetes.io/auth-signin: https://oidc-guard.company.com/signin
spec:

Configure Ingress JWT Only

To only validate JWT, you can remove the nginx.ingress.kubernetes.io/auth-signin annotation.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oidc-guard.company.com/auth?aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
spec:

Helm Values

https://github.com/IvanJosipovic/OIDC-Guard/blob/main/charts/oidc-guard/values.yaml#L17-L114

Google Identity Aware Proxy

In order to use OIDC-Guard with the Google IAP, you need to set the JWKSUrl, authorizationHeader, prependBearer and validIssuers settings.

settings:
  # Skip Authentication for CORS Preflight requests
  # https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
  skipAuthPreflight: false

  # Set host for http redirect used in the sign-in process
  # When not set will use the apps hostname
  host: ""

  # Set scheme for http redirect used in the sign-in process (http or https)
  # When not set, will accept X-Forwarded-Proto
  scheme: ""

  # Log Level(Trace, Debug, Information, Warning, Error, Critical, and None)
  logLevel: Information

  cookie:
    # Enable Cookie based Authentication
    enable: false

  JWT:
    # Enable JWT based Authentication
    enable: true

    # Sets the JSON Web Key Set and ignores the openIdProviderConfigurationUrl
    # Make sure to set the validIssuers property
    JWKSUrl: "https://www.gstatic.com/iap/verify/public_key-jwk"

    # Sets Authorization header name, if not set "Authorization" will be used
    authorizationHeader: "x-goog-iap-jwt-assertion"

    # Accept token from the access_token Query Parameter
    # https://datatracker.ietf.org/doc/html/rfc6750#section-2.3
    enableAccessTokenInQueryParameter: false

    # Prepend "Bearer " to the Authorization header if its missing
    prependBearer: true

    # Control if the audience will be validated during JWT token validation.
    # Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another site.
    # This value can be validated at the Ingress level using /auth?aud=00000000-0000-0000-0000-000000000000
    validateAudience: false

    # Set valid audiences for JWT validation
    validAudiences: []
    # - 11111111-1111-1111-1111-111111111111

    # Control if the issuer will be validated during JWT token validation.
    # Validation of the issuer mitigates forwarding attacks that can occur when an
    # Identity Provider represents multiple tenants and signs tokens with the same keys.
    # It is possible that a token issued for the same audience could be from a different tenant.
    validateIssuer: true

    # Set valid issuers replacing the one found in the settings.openIdProviderConfigurationUrl
    validIssuers:
    - https://cloud.google.com/iap
Clone this wiki locally