OIDCRelyingParty
microgateway.airlock.com/v1alpha1
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
Warning
The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- ID token and access token are stored in cookies and are thus sent to the accessing client.
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
name: oidc-rp-example
spec:
oidcProviderRef:
name: example-provider
clientID: my-id
credentials:
clientSecret:
method: BasicAuth
secretRef:
name: client-password
pathMapping:
logoutPath:
matcher:
exact: /logout
redirectPath:
matcher:
exact: /callback
redirectURI: "%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback"apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
name: defaultOIDCRelyingParty
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of the OIDC Relying Party configuration. | yes |
OIDCRelyingParty.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
clientID |
string | ClientID specifies the OIDCRelyingParty “client_id”. | yes | ||
| credentials | object | Credentials used for client authentication on the back-channel with the authorization server. | yes | ||
| oidcProviderRef | object | OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. | yes | ||
| pathMapping | object | PathMapping configures the action matching. | yes | ||
redirectURI |
string | RedirectURI configures the “redirect_uri” parameter included in the authorization request. May contain envoy command operators, e.g. ‘%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback’. |
yes |
OIDCRelyingParty.spec.credentials
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientSecret | object | ClientSecret authenticates with the client password issued by the OpenID Provider (OP). | yes |
OIDCRelyingParty.spec.credentials.clientSecret
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
method |
enum | Method specifies in which format the client secret is sent with the authorization request. | no | BasicAuth |
BasicAuth, FormURLEncoded |
| secretRef | object | SecretRef specifies the kubernetes secret containing the client password with key “client.secret”. | yes |
OIDCRelyingParty.spec.credentials.clientSecret.secretRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCRelyingParty.spec.oidcProviderRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCRelyingParty.spec.pathMapping
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| logoutPath | object | LogoutPath specifies which request paths should initiate a logout. | yes | ||
| redirectPath | object | RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. | yes |
OIDCRelyingParty.spec.pathMapping.logoutPath
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | exact{}, prefix{}, suffix{}, regex{}, contains{} |
OIDCRelyingParty.spec.pathMapping.logoutPath.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
OIDCRelyingParty.spec.pathMapping.redirectPath
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | exact{}, prefix{}, suffix{}, regex{}, contains{} |
OIDCRelyingParty.spec.pathMapping.redirectPath.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |