Skip to content

Latest commit

 

History

History
28 lines (17 loc) · 2.13 KB

README.md

File metadata and controls

28 lines (17 loc) · 2.13 KB

Portable OIDC Authentication stack

This repository provides a portable, pluggable and exportable OIDC stack to protect any application in both docker and Kubernetes flavours.

Tech stack

  1. Router: The opensource Traefik router is used to enforce authentication using its forwardAuth middleware.

  2. OIDC Proxy: The traefik-forward-auth is used to connect to any OAuth 2.0/OIDC supported Identity Provider. Additionally, it supports authorization rules if needed.

  3. docker-compose: A compose stack is provided that can be used as a base for integrating with other applications.

  4. Kubernetes: A kustomization manifest is provided that uses the configs and static manifests to deploy the same stack in Kubernetes with either a NodePort or integrating to an existing Ingress controller.

Usage

This repository deploys a sample app using containous/whoami which also helps in visalization of the headers that will be available after login.

  1. Modify the configs/oidc.env and configs/oidc.secret.env to set the Identity Provider information. More details are available in traefik-forward-auth's configuration guide.

  2. If you need HTTPS with a valid SSL certificate in case of docker, or using NodePort in Kubernetes (not needed when using Ingress), follow the steps below.

    • Add tls.crt and tls.key files to the certs/ folder.
    • Modify the configs/dynamic/config.yaml to uncomment the TLS section on top.
    • In case of Kubernetes, uncomment the traefik-certs in the patchesStrategicMerge and secretGenerator section of kustomization.yaml.
  3. Deploy the stack. For Kubernetes, this deploys to the default namespace. You can change this in the kustomization.yaml.

    • Docker: docker-compose up -d
    • Kubernetes: kubectl apply -k .