Authorization code

For more information or other OAuth options, see the OAuth about page.

Before you begin link

1. Follow the Get started guide to install Gloo Gateway.

2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

3. Get the external address of the gateway and save it in an environment variable.

     export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
   echo $INGRESS_GW_ADDRESS  
     

     kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
     

Step 1: Set up your Identity Provider link

Set up an OpenID Connect (OIDC) compatible identity provider (IdP).

For example, you can use Keycloak as an IdP.

Step 2: Enforce authorization code link

Use AuthConfig and GlooTrafficPolicy resources to apply the auth rules to the routes that you want to secure with authorization code OAuth.

1. Create a Kubernetes secret to store your Keycloak client credentials.

     kubectl apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: oauth-keycloak
     namespace: gloo-system
   type: extauth.solo.io/oauth
   stringData:
     client-secret: ${KEYCLOAK_SECRET}
   EOF
     

2. Create an AuthConfig resource with your authorization code OAuth rules.

     kubectl apply -f- <<EOF
   apiVersion: extauth.solo.io/v1
   kind: AuthConfig
   metadata:
     name: oauth-authorization-code
     namespace: httpbin
   spec:
     configs:
     - oauth2:
         oidcAuthorizationCode:
           appUrl: "http://${INGRESS_GW_ADDRESS}:80"
           callbackPath: /callback
           clientId: ${KEYCLOAK_CLIENT}
           clientSecretRef:
             name: oauth-keycloak
             namespace: gloo-system
           issuerUrl: "${KEYCLOAK_URL}/realms/master/"
           scopes:
           - email
           session:
             failOnFetchFailure: true
             redis:
               cookieName: keycloak-session
               options:
                 host: gloo-ext-cache-gloo-gateway-v2:6379
           headers:
             idTokenHeader: jwt
   EOF
     

   Review the following table to understand this configuration. For more authorization code options, see the Gloo Edge API docs.

   Field	Description
   oauth2.oidcAuthorizationCode	Set up the OAuth policy to authenticate requests with an authorization code.
   appUrl	The public URL of the app that you want to set up external auth for. This setting is used in combination with the callbackPath attribute.
   callbackPath	The callback path, relative to the appUrl setting. After a user authenticates, the IdP redirects the user to this callback URL. Gloo Gateway intercepts requests with this path, exchanges the authorization code received from the IdP for an ID token, places the ID token in a cookie on the request, and forwards the request to its original destination. Note: The callback path must have a matching route that the GlooTrafficPolicy applies to. For example, you could simply have a / path-prefix route which would match any callback path. The important part of this callback “catch all” route is that the request goes through the routing filters, including external auth.
   clientId	The client ID token that you got when you registered your app with the IdP. In this example, you set the client ID when you set up Keycloak.
   clientSecretRef	The Kubernetes secret that has the client secret that you got when you registered your app with the identity provider. The secret must exist on the same cluster as the external auth service that enforces this policy. In this example, you created the secret in an earlier step.
   issuerUrl	The URL of the OpenID Connect IdP. Gloo Gateway automatically discovers OIDC configuration by querying the .well-known/openid-configuration endpoint on the issuer_url. In this example, Gloo Gateway expects to find OIDC discovery information at "${KEYCLOAK_URL}/realms/master/".
   scopes	Scopes to request in addition to the openid scope, such as email in this example.
   session	Details on how to store the user session details. In this example, the cookie is stored as by the name keycloak-session in a Redis instance that is set up for the external auth service by default. The Redis service name is in the format gloo-ext-cache-<gateway-class-name>, such as gloo-ext-cache-gloo-gateway-v2. If your Redis instance is for a different GatewayClass, update the name accordingly.
   headers	Forward the ID token to the destination after successful authentication. In this example, the ID token is sent as a JWT.

3. Create a GlooTrafficPolicy resource that refers to the AuthConfig that you created. The following policy applies external auth to all routes that the Gateway serves.

     kubectl apply -f - <<EOF
   apiVersion: gloo.solo.io/v1alpha1
   kind: GlooTrafficPolicy
   metadata:
     name: oauth-authorization-code
     namespace: gloo-system
   spec:
     targetRefs:
       - name: http
         group: gateway.networking.k8s.io
         kind: Gateway
     glooExtAuth:
       authConfigRef:
         name: oauth-authorization-code
         namespace: httpbin
   EOF
     

4. Verify that the AuthConfig is ACCEPTED.

     kubectl get authconfig oauth-authorization-code -n httpbin -o yaml
     

   If you see a REJECTED error similar to invalid character 'k' looking for beginning of object key string, try copying the $KEYCLOAK_CERT_KEYS value manually again.

Step 3: Verify access token validation link

Sign in through your IdP to access your protected app.

Cleanup link

  kubectl delete authconfig oauth-authorization-code -n httpbin
kubectl delete gloo-traffic-policy oauth-authorization-code -n gloo-system
kubectl delete secret oauth-keycloak -n gloo-system