Google

Before you begin link

1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

2. Get the external address of the gateway and save it in an environment variable.

     export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   echo $INGRESS_GW_ADDRESS  
     

     export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
   echo $INGRESS_GW_ADDRESS
     

     kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
     

Register your app with Google link

To use Google as an identity provider (IdP), you must register your app with the Google API.

1. Log in to the Google Developer Console.
2. Optional: For first-time users, or to separate your resources from others in your cloud, create a project.
3. Configure your OAuth consent screen details. If you have an existing consent screen that you want to use, skip to the next step.
   1. From the menu, click OAuth consent screen.
   2. Select the Internal user type, and click Create.
   3. From the OAuth consent screen tab, enter the details of your app.
      • In the App information section, enter a name and email for your app.
      • You can skip the App domain and Authorized domain sections.
      • In the Developer contact information section, enter your email.
      • Click Save and continue.
   4. Optional: From the Scopes tab, you can restrict permissions to particular APIs in your app. For testing purposes, you can skip this section. Click Save and continue.
   5. Review the summary and click Back to dashboard.
4. Create the credentials to use Google as an OAuth client.
   1. From the menu, click Credentials.
   2. From the Credentials menu bar, click + Create credentials, and then OAuth client ID.
   3. From the Application type dropdown, select Web application. You can optionally rename the client.
   4. In the Authorized redirect URIs section, click + Add URI.
   5. Enter the following URI for demonstration purposes: http://localhost:8080/callback
   6. Click Create.
5. Store the Client ID and Client secret values as environment variables. You can also download the client information as a JSON file.

     export CLIENT_ID=<client-id>
   export CLIENT_SECRET=<client-secret>
     

Set up Google auth link

1. Store the client secret as a Kubernetes secret in the workload cluster that you want to create the external auth policy in.

     kubectl apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: google
     namespace: httpbin
   type: extauth.solo.io/oauth
   stringData:
     client-secret: ${CLIENT_SECRET}
   EOF
     

2. Create an AuthConfig resource and add your external authentication rules. The following example passes authentication requests through to the gRPC auth server that you deployed earlier.

     kubectl apply -f - <<EOF
   apiVersion: enterprise.gloo.solo.io/v1
   kind: AuthConfig
   metadata:
     name: google-auth
     namespace: httpbin
   spec:
     configs:
     - oauth2:
         oidcAuthorizationCode:
           appUrl: http://localhost:8080
           callbackPath: /callback
           clientId: $CLIENT_ID
           clientSecretRef:
             name: google
             namespace: httpbin
           issuerUrl: https://accounts.google.com
           session:
             cookieOptions:
               notSecure: true
           scopes:
           - email
   EOF
     

   Review the following table to understand this configuration.

   Setting	Description
   oauth2	Configure the OAuth 2.0 protocol details to use to authenticate requests. The example uses Google as the external identity provider.
   appUrl	The public URL of the app that you want to set up external auth for. This setting is used in combination with the callbackPath attribute. In this example, you did not configure Google OAuth with a public URL. Instead, you can use http://localhost:8080 to test the authentication setup.
   callbackPath	The callback path, relative to the appUrl setting. After a user authenticates, the identity provider redirects the user to this callback URL. Gloo Gateway intercepts requests with this path, exchanges the authorization code received from the IdP for an ID token, places the ID token in a cookie on the request, and forwards the request to its original destination. notifications The callback path must have a matching route in the HTTPRoute resource that is associated with the AuthConfig. For example, you could simply have a / path-prefix route which would match any callback path. The important part of this callback catchall route is that the request goes through the routing filters including external auth.
   clientId	The client ID token that you got when you registered your app with the identity provider. In this example, you set the client ID in an earlier step.
   clientSecretRef	The Kubernetes secret that has the client secret that you got when you registered your app with the identity provider. In this example, you created the secret in an earlier step.
   issuerUrl	The URL of the OpenID Connect identity provider. Gloo Gateway automatically discovers OIDC configuration by querying the .well-known/openid-configuration endpoint on the issuer_url. In this example, Gloo Gateway expects to find OIDC discovery information at https://accounts.google.com.
   session	Details on how to store the user session details. In this example, the cookie is insecure, for demonstration purposes.
   scopes	Other OIDC scopes to request. By default, the openid scope is included, which returns the OIDC protocol information that is needed to verify the user’s identity. This example also requests the email scope, which has the user’s Google email address. For more information, see the OpenID docs.

3. Create a RouteOption resource that refers to the AuthConfig resource that you just created.

     kubectl apply -f- <<EOF
   apiVersion: gateway.solo.io/v1
   kind: RouteOption
   metadata:
     name: google-auth
     namespace: httpbin
   spec:
     options:
       extauth:
         configRef:
           name: google-auth
           namespace: httpbin
   EOF
     

4. Create another RouteOption resource to rewrite requests to the /anything path. You use this RouteOption resource to rewrite the callback path to a path that is known to the httpbin app.

     kubectl apply -f- <<EOF
   apiVersion: gateway.solo.io/v1
   kind: RouteOption
   metadata:
     name: google-redirect-url-rewrite
     namespace: httpbin
   spec:
     options:
       prefixRewrite: '/anything'
   EOF
     

5. Create an HTTPRoute resource for the httpbin app that requires authentication with Google for requests along the /status/200 path. After the user is successfully authenticated with Google, the user is redirected to the callback path that you defined in the AuthConfig resource. To ensure that the user sees a valid response, you add a matcher for the callback path to your HTTPRoute resource and rewrite requests to this path to the /anything path, which is a known path in the httpbin app.

     kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: HTTPRoute
   metadata:
     name: httpbin-google-auth
     namespace: httpbin
   spec:
     parentRefs:
     - name: http
       namespace: gloo-system
     rules:
       - matches:
         - path:
             type: Exact
             value: /status/200
         filters:
           - type: ExtensionRef
             extensionRef:
               group: gateway.solo.io
               kind: RouteOption
               name: google-auth
         backendRefs:
           - name: httpbin
             port: 8000
       - matches:
         - path:
             type: Exact
             value: /callback
         filters:
           - type: ExtensionRef
             extensionRef:
               group: gateway.solo.io
               kind: RouteOption
               name: google-redirect-url-rewrite
         backendRefs:
           - name: httpbin
             port: 8000
   EOF
     

6. Port-forward the HTTP proxy on port

     kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
     

7. In your browser, open the path to your app. If you followed this example, your app URL is http://localhost:8080/status/200. Verify that you are redirected to the Google login screen.

   

   Example output: Gloo Gateway redirects you to the /callback page, with the information from Google added as a query string in the URL. Because the callback path is rewritten to the /anything path, you see the output for that path in your browser.

   

   

Cleanup link

You can optionally remove the resources that you created in this guide.

  kubectl delete authconfig google-auth -n httpbin
kubectl delete routeoption google-auth -n httpbin
kubectl delete routeoption google-redirect-url-rewrite -n httpbin
kubectl delete httproute httpbin-google-auth -n httpbin
kubectl delete secret google -n httpbin