OIDCProvider

microgateway.airlock.com/v1alpha1


OIDCProvider specifies an OpenID Provider (OP).

Warning

The OIDC feature is currently in an experimental state.

We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:

  • The state parameter is guessable.
  • Sessions are always shared across all Microgateway Engines using the same Redis instance. I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
  name: oidc-provider-example
spec:
  static:
    endpoints:
      authorization:
        uri: https://iam.airlock.com/authorize
      token:
        uri: https://iam.airlock.com/token
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
  name: default

OIDCProvider

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of an OpenID Provider. yes static{}

OIDCProvider.spec

Field Type Description Required Default Allowed Values
static object Static configures an OpenID Provider by explicitly specifying all endpoints. no

OIDCProvider.spec.static

Field Type Description Required Default Allowed Values
endpoints object Endpoints specifies the OpenID Provider endpoints. yes

OIDCProvider.spec.static.endpoints

Field Type Description Required Default Allowed Values
authorization object Authorization specifies the endpoint to which the authorization request is sent. yes
token object Token configures the endpoint from which the access, ID and refresh tokens are obtained. yes

OIDCProvider.spec.static.endpoints.authorization

Field Type Description Required Default Allowed Values
uri string URI specifies the endpoint address. yes

OIDCProvider.spec.static.endpoints.token

Field Type Description Required Default Allowed Values
tls object TLS defines TLS settings. no
uri string URI specifies the endpoint address. yes

OIDCProvider.spec.static.endpoints.token.tls

Field Type Description Required Default Allowed Values
certificateVerification object CertificateVerification specifies how the certificate presented by the server is verified. no publicCAs{...} disabled{}, publicCAs{}, custom{}
ciphers string[] Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. no
protocol object Protocol defines the supported TLS protocol versions. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification

Field Type Description Required Default Allowed Values
custom object Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
no
disabled object Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
no
publicCAs object PublicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom

Field Type Description Required Default Allowed Values
allowedSANs object[] AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.
no
crl object CRL defines the Certificate Revocation List (CRL) settings. no
certificatePinning object CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.
no
trustedCA object TrustedCA defines which CA certificates are trusted. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[]

Field Type Description Required Default Allowed Values
matcher object Matcher defines the string matcher for the SAN value. yes exact{}, prefix{}, suffix{}, regex{}, contains{}
sanType enum SanType defines the type of SAN matcher. yes DNS, Email, URI, IPAddress

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[].matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl

Field Type Description Required Default Allowed Values
lists object[] Lists defines the list of secretRefs containing Certificate Revocation Lists. no
validationMode enum ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. no VerifyChain VerifyLeafCertOnly, VerifyChain

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.certificatePinning

Field Type Description Required Default Allowed Values
allowedHashes string[] AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
no
allowedSPKIs string[] AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA

Field Type Description Required Default Allowed Values
certificates object[] Certificates defines the list of secretRefs containing trusted CA certificates. yes
verificationDepth uint32 VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
no 1 [0, 4294967295]

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.token.tls.protocol

Field Type Description Required Default Allowed Values
maximum enum Maximum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
minimum enum Minimum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3