CR OIDCRelyingParty

This CR OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Connect provider such as Airlock IAM. The CR OIDCProvider is referenced, allowing reuse for different back-ends.

The OIDC feature is currently in an experimental state.

We encourage you to try it out and give feedback, but we do not recommend using it in a production environment yet, as security has not yet been hardened.

  • The current implementation has the following limitations:
  • The state parameter is guessable.
  • Sessions are shared across all Microgateway Engines using the same Redis instance. I.e. if different applications share the same Redis instance, users may be able to access authenticated routes across applications, even if their OIDCRelyingParty configuration differs.

Example configuration

For the default and example configuration, see CR OIDCRelyingParty reference documentation.

  • About the example configuration:
  • The referenced CR OIDCProvider specifies the OpenID Connect provider, e.g., Airlock IAM. Currently, only client secret-based authentication via ​BasicAuth or ​FormURLEncoded POST body is available.
  • When accessing the logoutPath, the user is logged out from the OIDC relying party. If required, logout from the OIDC provider must be triggered separately.

The Secret requires the key client.secret for the password string as in the following example:

apiVersion: v1 
kind: Secret 
metadata: 
  name: oidc-client-secret 
stringData: 
  client.secret: "myClientSecret1234"