OIDC and OAuth

About OIDC

Gloo Gateway supports authentication via OpenID Connect (OIDC). OIDC is an identity layer on top of the OAuth 2.0 protocol. In OAuth 2.0 flows, authentication is performed by an external identity provider (IdP). For successful authentications, the IdP returns an access token that represents the user identity. However, the protocol does not define the contents and structure of the access token. This ambiguity greatly reduces the portability of OAuth 2.0 implementations.

The goal of OIDC is to address Oauth 2.0's ambiguity by requiring identity providers to return a well-defined ID token. OIDC ID tokens follow the JSON Web Token (JWT) standard and contain specific fields. You can write your apps to expect and handle these fields. This standardization allows you to switch between identity providers or support multiple IdPs at the same time. You need minimal, if any, changes to your downstream services. OIDC also allows you to consistently apply security measures such as Kubernetes role-based access control (RBAC) based on the content of the ID tokens. This way, you can use the same user identity information for authentication to apps in your cluster.

Example guides

To set up external auth with OIDC, try one of the following guides.

• Google: Let users authenticate with your app by using their Google account.

• Hydra: Let users authenticate with your app by using an access token from ORY Hydra.

• Keycloak: Follow along with an OIDC OAuth example that uses Keycloak as an identity provider.

• Okta: Set up external auth for the apps in your cluster with the Okta OIDC provider.

• More OAuth features: Review more OAuth features that you can use, such as cookie options, and storing sessions in Redis, and logout path.