Let users authenticate with your app by using their Google account.
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
Before you begin
Consider increasing the default timeout of the external auth server. When you set up OAuth, the external auth server must communicate with the external OIDC provider’s authorization server. Because of this interaction, the OIDC flow might take longer than the default timeout of 200ms
. In such cases, you might noticed failed requests or unexpected behavior. You can increase the default timeout by setting the requestTimeout
value on the external auth settings. The external auth settings can be configured on the Gloo Gateway Settings object.
Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Register your app with Google
To use Google as an identity provider (IdP), you must register your app with the Google API.
- Log in to the Google Developer Console.
- Optional: For first-time users, or to separate your resources from others in your cloud, create a project.
- Configure your OAuth consent screen details. If you have an existing consent screen that you want to use, skip to the next step.
- From the menu, click OAuth consent screen.
- Select the Internal user type, and click Create.
- From the OAuth consent screen tab, enter the details of your app.
- In the App information section, enter a name and email for your app.
- You can skip the App domain and Authorized domain sections.
- In the Developer contact information section, enter your email.
- Click Save and continue.
- Optional: From the Scopes tab, you can restrict permissions to particular APIs in your app. For testing purposes, you can skip this section. Click Save and continue.
- Review the summary and click Back to dashboard.
- Create the credentials to use Google as an OAuth client.
- From the menu, click Credentials.
- From the Credentials menu bar, click + Create credentials, and then OAuth client ID.
- From the Application type dropdown, select Web application. You can optionally rename the client.
- In the Authorized redirect URIs section, click + Add URI.
- Enter the following URI for demonstration purposes:
http://extauth.example.com:8080/callback
- Click Create.
- Store the Client ID and Client secret values as environment variables. You can also download the client information as a JSON file.
export CLIENT_ID=<client-id> export CLIENT_SECRET=<client-secret>
Set up Google auth
Store the client secret as a Kubernetes secret in the workload cluster that you want to create the external auth policy in.
kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: google namespace: httpbin type: extauth.solo.io/oauth stringData: client-secret: ${CLIENT_SECRET} EOF
Create an AuthConfig resource and add your external authentication rules. The following example passes authentication requests through to the gRPC auth server that you deployed earlier.
kubectl apply -f - <<EOF apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: google-auth namespace: httpbin spec: configs: - oauth2: oidcAuthorizationCode: appUrl: http://extauth.example.com:8080 callbackPath: /callback clientId: $CLIENT_ID clientSecretRef: name: google namespace: httpbin issuerUrl: https://accounts.google.com session: cookieOptions: notSecure: true scopes: - email EOF
Review the following table to understand this configuration.
Setting Description oauth2
Configure the OAuth 2.0 protocol details to use to authenticate requests. The example uses Google as the external identity provider. appUrl
The public URL of the app that you want to set up external auth for. This setting is used in combination with the callbackPath
attribute. In this example, you did not configure Google OAuth with a public URL. Instead, you can usehttp://extauth.example.com:8080
to test the authentication setup.callbackPath
The callback path, relative to the appUrl setting. After a user authenticates, the identity provider redirects the user to this callback URL. Gloo Gateway intercepts requests with this path, exchanges the authorization code received from the IdP for an ID token, places the ID token in a cookie on the request, and forwards the request to its original destination. The callback path must have a matching route in the HTTPRoute resource that is associated with the AuthConfig. For example, you could simply have a/
path-prefix route which would match any callback path. The important part of this callback catchall route is that the request goes through the routing filters including external auth.clientId
The client ID token that you got when you registered your app with the identity provider. In this example, you set the client ID in an earlier step. clientSecretRef
The Kubernetes secret that has the client secret that you got when you registered your app with the identity provider. In this example, you created the secret in an earlier step. issuerUrl
The URL of the OpenID Connect identity provider. Gloo Gateway automatically discovers OIDC configuration by querying the .well-known/openid-configuration
endpoint on theissuer_url
. In this example, Gloo Gateway expects to find OIDC discovery information athttps://accounts.google.com
.session
Details on how to store the user session details. In this example, the cookie is insecure, for demonstration purposes. scopes
Other OIDC scopes to request. By default, the openid
scope is included, which returns the OIDC protocol information that is needed to verify the user’s identity. This example also requests theemail
scope, which has the user’s Google email address. For more information, see the OpenID docs.Create a RouteOption resource that refers to the AuthConfig resource that you just created.
kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: RouteOption metadata: name: google-auth namespace: httpbin spec: options: extauth: configRef: name: google-auth namespace: httpbin EOF
Create an HTTPRoute resource for the httpbin app that requires authentication with Google for requests along the
/
path. After the user is successfully authenticated with Google, an access token is issued and the user is redirected to the callback path (/callback
) that you defined in the AuthConfig resource. Because the HTTPRoute matches on the/
prefix path, it also matches requests along the callback path. The access token that is included in the callback path includes the original prefix path of the request. The extauth server is configured to extract the original request path and to redirect the user back to this path.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: httpbin-google-auth namespace: httpbin spec: parentRefs: - name: http namespace: gloo-system hostnames: - extauth.example.com rules: - matches: - path: type: PathPrefix value: / filters: - type: ExtensionRef extensionRef: group: gateway.solo.io kind: RouteOption name: google-auth backendRefs: - name: httpbin port: 8000 EOF
Update the
/etc/hosts
file on your local machine to match the$INGRESS_GW_ADDRESS
to theextauth.example.com
host.- Open the
/etc/hosts
file.sudo vi /etc/hosts
- Match the
extauth.example.com
host to the$INGRESS_GW_ADDRESS
. For example, if$INGRESS_GW_ADDRESS
is 34.2.1.2, add the following snippet to your/etc/hosts
file.34.2.1.2 extauth.example.com
- Open the
In your browser, open any path to your app. For example, you might use http://extauth.example.com:8080/anything as your app URL. Verify that you are redirected to the Google login screen.
Log in to Google. Verify that you are redirected to the
/callback
path, with the access token from Google added as a query string in the URL. Because the callback path is included in the/
matcher, the external auth server continues to process the request and extracts the original prefix path from the callback URL. Then, the request is forwarded to the httpbin app along the original prefix path (/anything
).
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig google-auth -n httpbin
kubectl delete routeoption google-auth -n httpbin
kubectl delete httproute httpbin-google-auth -n httpbin
kubectl delete secret google -n httpbin