Navigation :

Require OIDC external auth

Require users to authenticate through an OpenID Connect (OIDC) identity provider (IdP) that you configure for external auth, such as Google or Okta.

For more information about this type of external auth, see OIDC and OAuth.

Before you begin

Create your APIs, including the Gloo ApiDocs that describe the stitched schema.
Bundle your APIs into API products by using a route table.
Optional: Review the Usage plan overview to understand how the various Gloo custom resources work together to create usage plans for your developer portal.

Apply an OAuth external auth policy

Configure the OIDC provider that you use for the OAuth external authentication policy. The steps vary depending on the OIDC provider. The following example includes steps for Okta and Keycloak. For other providers, see OIDC and OAuth.

Get the labels of your routes to use to apply policies to, such as with the example query.
```
kubectl get rt -n gloo-mesh-gateways -o=jsonpath='{range .items[*]}[{.metadata.name}, {.spec.http[*].name}, {.spec.http[*].labels}]{"\n"}{end}'
```
Example output:
- The tracks-rt route table has a usagePlans: dev-portal label on its tracks-api route. You can use this label to apply policies to the route, or create another label on the route, such as oauth: true.
- The other route tables do not have route-level labels. To apply policies, you can add labels to those routes.
```
[api-example-com-rt, , ]
[petstore-rt, pets-api users-api store-api, ]
[tracks-rt, tracks-api, {"usagePlans":"dev-portal"}]
```
Create an OAuth external auth policy. The steps vary depending on your OIDC provider and how you want to configure OAuth. Make sure that the label you use to apply the policy matches the labels on the routes, such as usagePlans: "dev-portal".
- Okta
- Keycloak
Follow the Okta access token example to configure Okta and create the external auth policy.
1. Follow the steps to install Keycloak.
2. Follow the steps to configure Keycloak.
3. Create the secret and external auth server. Note that you can skip creating the httpbin sample app route table, as you create a route table for portal later.
4. Configure OAuth with an external auth policy for access token validation.

Verify that requests to your API now require external auth. The following request does not succeed because you need to authenticate via OIDC.

curl -v --resolve api.example.com:80:${INGRESS_GW_IP} http://api.example.com/trackapi/tracks

Example output from an authorization code OAuth policy:

< HTTP/1.1 302 Found
< location: http://$OAUTH_URL/realms/master/protocol/openid-connect/auth?client_id=$CLIENT_ID&redirect_uri=https%3A%2F%2F$OAUTH_URL%3A443%2Fcallback&response_type=code&scope=email+openid&state=<token>
< date: Thu, 20 Jul 2023 18:32:22 GMT
< server: istio-envoy
< content-length: 0

Example output from an access token validation with inline JWKS OAuth policy:

< HTTP/1.1 403 Forbidden

Good job! Your API products are now protected by the OAuth policies. Later, you set up the frontend for the developer portal. Then, you are able to securely log in and get access to the API products again.

Next steps

If you haven't already, set rate limits for your API products.
Configure the developer portal.

When you are done with trying out Portal, you can clean up all of the resources that you created.