OIDCRelyingParty
microgateway.airlock.com/v1alpha1
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
Info
The OIDC feature requires SessionHandling to be configured in the SidecarGateway.
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
name: oidc-rp-example
spec:
oidcProviderRef:
name: example-provider
clientID: my-id
scopes:
- openid
- profile
- email
- roles
credentials:
clientSecret:
method: BasicAuth
secretRef:
name: client-password
pathMapping:
logoutPath:
matcher:
exact: /logout
redirectPath:
matcher:
exact: /callback
redirectURI: "%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback"
flowTimeout: 7mapiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
name: defaultOIDCRelyingParty
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of the OIDC Relying Party configuration. | yes |
OIDCRelyingParty.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
clientID |
string | ClientID specifies the OIDCRelyingParty “client_id”. | yes | ||
| credentials | object | Credentials used for client authentication on the back-channel with the authorization server. | yes | ||
| flowTimeout | string | FlowTimeout specifies the time window within which an initiated OIDC flow can be completed by the client. | no | 5m |
See link |
| oidcProviderRef | object | OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. | yes | ||
| pathMapping | object | PathMapping configures the action matching. | yes | ||
redirectURI |
string | RedirectURI configures the “redirect_uri” parameter included in the authorization request. May contain envoy command operators, e.g.: %REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches requests to this URI. |
yes | ||
scopes |
string[] | Scopes specifies the scopes to request during the OIDC flow. The mandatory openid scope is implicitly added to the list if not already present. Default: ['openid', 'profile'] Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now. |
no |
OIDCRelyingParty.spec.credentials
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientSecret | object | ClientSecret authenticates with the client password issued by the OpenID Provider (OP). | yes |
OIDCRelyingParty.spec.credentials.clientSecret
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
method |
enum | Method specifies in which format the client secret is sent with the authorization request. | no | BasicAuth |
BasicAuth, FormURLEncoded |
| secretRef | object | SecretRef specifies the kubernetes secret containing the client password with key “client.secret”. | yes |
OIDCRelyingParty.spec.credentials.clientSecret.secretRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCRelyingParty.spec.oidcProviderRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
OIDCRelyingParty.spec.pathMapping
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| logoutPath | object | LogoutPath specifies which request paths should initiate a logout. WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests. |
yes | ||
| redirectPath | object | RedirectPath specifies which request paths should be interpreted as a callback redirect from the authorization endpoint. WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests. |
yes |
OIDCRelyingParty.spec.pathMapping.logoutPath
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | exact{}, prefix{}, suffix{}, regex{}, contains{} |
OIDCRelyingParty.spec.pathMapping.logoutPath.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
OIDCRelyingParty.spec.pathMapping.redirectPath
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | exact{}, prefix{}, suffix{}, regex{}, contains{} |
OIDCRelyingParty.spec.pathMapping.redirectPath.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |