OIDCRelyingParty

microgateway.airlock.com/v1alpha1

OIDCRelyingParty defines an OpenID Connect Relying Party (OIDC RP) configuration for interacting with an OpenID Provider (OP) to authenticate users via an OpenID Connect flow.

Info

The OIDC feature requires SessionHandling to be configured in the GatewayParameters.

apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
  name: oidc-rp-example
spec:
  oidcProviderRef:
    name: example-provider
  clientID: my-id
  scopes:
    - openid
    - profile
    - email
    - roles
  credentials:
    clientSecret:
      method: BasicAuth
      secretRef:
        name: client-password
  pathMapping:
    logoutPath:
      matcher:
        exact: /logout
    redirectPath:
      matcher:
        exact: /callback
  redirectURI: "%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback"
  flowTimeout: 7m

OIDCRelyingParty

Field	Description	Type	Required	Default	Allowed Values
metadata	defines the resource’s metadata	ObjectMeta	yes
spec	defines the desired OIDC relying party configuration.	object	yes

OIDCRelyingParty.spec

Field	Description	Type	Required	Default	Allowed Values
clientID	specifies the OIDCRelyingParty “client_id”.	string	yes
credentials	used for client authentication on the back-channel with the authorization server.	object	yes
flowTimeout	specifies the time window within which an initiated OIDC flow can be completed by the client.	string (duration)	no	`5m`	See link
oidcProviderRef	selects the OpenID Provider (OP) used to authenticate users.	object	yes
pathMapping	configures the action matching.	object	yes
redirectURI	configures the “redirect_uri” parameter included in the authorization request. May contain envoy command operators, e.g.: `%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback` Note: You must ensure this URI is matched by the HTTPRoute to which the referencing AccessControlPolicy is attached.	string	yes
scopes	specifies the scopes to request during the OIDC flow. The mandatory `openid` scope is implicitly added to the list if not already present. Default: `['openid', 'profile']` Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now.	string[]	no

OIDCRelyingParty.spec.credentials

Field	Description	Type	Required	Default	Allowed Values
clientSecret	authenticates with the client password issued by the OpenID Provider (OP).	object	yes

OIDCRelyingParty.spec.credentials.clientSecret

Field	Description	Type	Required	Default	Allowed Values
method	specifies in which format the client secret is sent with the authorization request.	enum	no	`BasicAuth`	`BasicAuth`, `FormURLEncoded`
secretRef	specifies the kubernetes secret containing the client password with key “client.secret”.	object	yes

OIDCRelyingParty.spec.credentials.clientSecret.secretRef

Field	Description	Type	Required	Default	Allowed Values
name	of the resource	string	yes

OIDCRelyingParty.spec.oidcProviderRef

Field	Description	Type	Required	Default	Allowed Values
name	of the resource	string	yes

OIDCRelyingParty.spec.pathMapping

Field	Description	Type	Required	Default	Allowed Values
logoutPath	specifies which request paths should initiate a logout. Note: You must ensure this path is matched by the HTTPRoute to which the referencing AccessControlPolicy is attached. Note: If the policy referencing this OIDCRelyingParty has a request condition, you must ensure that it also matches these logout requests.	object	yes
redirectPath	specifies which request paths should be interpreted as a callback redirect from the authorization endpoint. Note: You must ensure this path is matched by the HTTPRoute to which the referencing AccessControlPolicy is attached.	object	yes

OIDCRelyingParty.spec.pathMapping.logoutPath

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

OIDCRelyingParty.spec.pathMapping.logoutPath.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

OIDCRelyingParty.spec.pathMapping.redirectPath

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

OIDCRelyingParty.spec.pathMapping.redirectPath.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no