OIDC and OAuth

Use OpenID Connect (OIDC) with the OAuth 2.0 protocol to have an external identity provider authenticate requests with an access token.

This feature is available with a Gloo Gateway license only.

About OIDC

Gloo Gateway supports authentication via OpenID Connect (OIDC). OIDC is an identity layer on top of the OAuth 2.0 protocol. In OAuth 2.0 flows, authentication is performed by an external identity provider (IdP). For successful authentications, the IdP returns an access token that represents the user identity. However, the protocol does not define the contents and structure of the access token. This ambiguity greatly reduces the portability of OAuth 2.0 implementations.

The goal of OIDC is to address Oauth 2.0's ambiguity by requiring identity providers to return a well-defined ID token. OIDC ID tokens follow the JSON Web Token (JWT) standard and contain specific fields. You can write your apps to expect and handle these fields. This standardization allows you to switch between identity providers or support multiple IdPs at the same time. You need minimal, if any, changes to your downstream services. OIDC also allows you to consistently apply security measures such as Kubernetes role-based access control (RBAC) based on the content of the ID tokens. This way, you can use the same user identity information for authentication to apps in your cluster.

Example guides

To set up external auth with OIDC, try one of the following guides.