OIDCProvider
microgateway.airlock.com/v1alpha1
OIDCProvider specifies an OpenID Provider (OP).
Warning
The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
name: oidc-provider-example
spec:
static:
endpoints:
authorization:
uri: https://iam.airlock.com/authorize
token:
uri: https://iam.airlock.com/tokenapiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
name: defaultOIDCProvider
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of an OpenID Provider. | yes | static{} |
OIDCProvider.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| static | object | Static configures an OpenID Provider by explicitly specifying all endpoints. | no |
OIDCProvider.spec.static
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| endpoints | object | Endpoints specifies the OpenID Provider endpoints. | yes |
OIDCProvider.spec.static.endpoints
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| authorization | object | Authorization specifies the endpoint to which the authorization request is sent. | yes | ||
| token | object | Token configures the endpoint from which the access, ID and refresh tokens are obtained. | yes |
OIDCProvider.spec.static.endpoints.authorization
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
uri |
string | URI specifies the endpoint address. | yes |
OIDCProvider.spec.static.endpoints.token
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| tls | object | TLS defines TLS settings. | no | ||
uri |
string | URI specifies the endpoint address. | yes |
OIDCProvider.spec.static.endpoints.token.tls
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| certificateVerification | object | CertificateVerification specifies how the certificate presented by the server is verified. | no | publicCAs{...} |
disabled{}, publicCAs{}, custom{} |
ciphers |
string[] | Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. | no | ||
| protocol | object | Protocol defines the supported TLS protocol versions. | no |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| custom | object | Custom explicitly specifies how the server certificate should be verified. Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. |
no | ||
| disabled | object | Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. |
no | ||
| publicCAs | object | PublicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. | no |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| allowedSANs | object[] | AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, that is to say, the SAN is verified if at least one matcher is matched. AllowedSANs requires trustedCA to be set. |
no | ||
| crl | object | CRL defines the Certificate Revocation List (CRL) settings. | no | ||
| certificatePinning | object | CertificatePinning defines constraints the presented certificate must fulfill. If more than one constraint is configured only one must be satisfied. At least one of allowedSPKIs and allowedHashes must be set. |
no | ||
| trustedCA | object | TrustedCA defines which CA certificates are trusted. | no |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | Matcher defines the string matcher for the SAN value. | yes | exact{}, prefix{}, suffix{}, regex{}, contains{} |
|
sanType |
enum | SanType defines the type of SAN matcher. | yes | DNS, Email, URI, IPAddress |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[].matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| lists | object[] | Lists defines the list of secretRefs containing Certificate Revocation Lists. | no | ||
validationMode |
enum | ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. | no | VerifyChain |
VerifyLeafCertOnly, VerifyChain |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| secretRef | object | SecretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. | yes |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[].secretRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.certificatePinning
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
allowedHashes |
string[] | AllowedHashes is a list of hex-encoded SHA-256 hashes. If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. |
no | ||
allowedSPKIs |
string[] | AllowedSPKIs is a list of base64-encoded SHA-256 hashes. If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. |
no |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| certificates | object[] | Certificates defines the list of secretRefs containing trusted CA certificates. | yes | ||
verificationDepth |
uint32 | VerificationDepth specifies the hops in the certificate chain at which validation is performed. 1 means that either the leaf or the signing CA must be in the set of trusted certificates. |
no | 1 |
[0, 4294967295] |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| secretRef | object | SecretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. | yes |
OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[].secretRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCProvider.spec.static.endpoints.token.tls.protocol
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
maximum |
enum | Maximum supported TLS version. | no | TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3 |
|
minimum |
enum | Minimum supported TLS version. | no | TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3 |