OIDCProvider

microgateway.airlock.com/v1alpha1

OIDCProvider defines an OpenID Provider (OP) configuration.

Info

The OIDC feature requires SessionHandling to be configured in the SidecarGateway. 

apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
  name: oidc-provider-example
spec:
  static:
    issuer: https://iam.airlock.com/
    endpoints:
      authorization:
        uri: https://iam.airlock.com/authorize
      token:
        uri: https://iam.airlock.com/token
      introspection:
        uri: https://iam.airlock.com/introspection
    tokenValidation:
      idToken:
        signatureVerification:
          jwksRef:
            name: jwks-example

OIDCProvider

Field Description Type Required Default Allowed Values
metadata defines the resource’s metadata ObjectMeta yes
spec defines the desired OpenID Provider configuration. object yes static{}

OIDCProvider.spec

Field Description Type Required Default Allowed Values
static configures an OpenID Provider by explicitly specifying all endpoints. object no

OIDCProvider.spec.static

Field Description Type Required Default Allowed Values
endpoints specifies the OpenID Provider endpoints. object yes
issuer specifies the unique identifier of the OIDC Provider, which is used e.g. for signature verification. string yes
tokenValidation configures token validation. object yes

OIDCProvider.spec.static.endpoints

Field Description Type Required Default Allowed Values
authorization specifies the endpoint to which the authorization request is sent. object yes
introspection configures the endpoint to which the introspection request to validate access tokens is sent. object no
token configures the endpoint from which the access, ID and refresh tokens are obtained. object yes

OIDCProvider.spec.static.endpoints.authorization

Field Description Type Required Default Allowed Values
uri specifies the endpoint address. string yes

OIDCProvider.spec.static.endpoints.introspection

Field Description Type Required Default Allowed Values
timeouts specifies the timeouts when interacting with the Token endpoint. object no
tls defines TLS settings. object no
uri specifies the endpoint address. string yes

OIDCProvider.spec.static.endpoints.introspection.tls

Field Description Type Required Default Allowed Values
certificateVerification specifies how the certificate presented by the server is verified. object no publicCAs{...} custom{}, disabled{}, publicCAs{}
ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. string[] no
protocol defines the supported TLS protocol versions. object no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification

Field Description Type Required Default Allowed Values
custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.		 object no
disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.		 object no {}
publicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. object no {}

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom

Field Description Type Required Default Allowed Values
allowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.		 object[] no
certificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.		 object no
crl defines the Certificate Revocation List (CRL) settings. object no
trustedCA defines which CA certificates are trusted. object no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.allowedSANs[]

Field Description Type Required Default Allowed Values
matcher defines the string matcher for the SAN value. object yes contains{}, exact{}, prefix{}, regex{}, suffix{}
sanType defines the type of SAN matcher. enum yes DNS, Email, IPAddress, URI

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.allowedSANs[].matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl

Field Description Type Required Default Allowed Values
lists defines the list of secretRefs containing Certificate Revocation Lists. object[] no
validationMode defines whether only the leaf certificate or also the CA certs should be checked. enum no VerifyChain VerifyChain, VerifyLeafCertOnly

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl.lists[]

Field Description Type Required Default Allowed Values
secretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. object yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl.lists[].secretRef

Field Description Type Required Default Allowed Values
name of the resource string yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.certificatePinning

Field Description Type Required Default Allowed Values
allowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.		 string[] no
allowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.		 string[] no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA

Field Description Type Required Default Allowed Values
certificates defines the list of secretRefs containing trusted CA certificates. object[] yes
verificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.		 int32 no 1 [0, 2147483647]

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA.certificates[]

Field Description Type Required Default Allowed Values
secretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. object yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA.certificates[].secretRef

Field Description Type Required Default Allowed Values
name of the resource string yes

OIDCProvider.spec.static.endpoints.introspection.tls.protocol

Field Description Type Required Default Allowed Values
maximum supported TLS version. enum no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
minimum supported TLS version. enum no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

OIDCProvider.spec.static.endpoints.introspection.timeouts

Field Description Type Required Default Allowed Values
connect specifies the timeout for establishing a connection. string (duration) no 5s See link
maxDuration specifies the response timeout. string (duration) no 15s See link

OIDCProvider.spec.static.endpoints.token

Field Description Type Required Default Allowed Values
timeouts specifies the timeouts when interacting with the Token endpoint. object no
tls defines TLS settings. object no
uri specifies the endpoint address. string yes

OIDCProvider.spec.static.endpoints.token.tls

Field Description Type Required Default Allowed Values
certificateVerification specifies how the certificate presented by the server is verified. object no publicCAs{...} custom{}, disabled{}, publicCAs{}
ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. string[] no
protocol defines the supported TLS protocol versions. object no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification

Field Description Type Required Default Allowed Values
custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.		 object no
disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.		 object no {}
publicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. object no {}

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom

Field Description Type Required Default Allowed Values
allowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.		 object[] no
certificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.		 object no
crl defines the Certificate Revocation List (CRL) settings. object no
trustedCA defines which CA certificates are trusted. object no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[]

Field Description Type Required Default Allowed Values
matcher defines the string matcher for the SAN value. object yes contains{}, exact{}, prefix{}, regex{}, suffix{}
sanType defines the type of SAN matcher. enum yes DNS, Email, IPAddress, URI

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[].matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl

Field Description Type Required Default Allowed Values
lists defines the list of secretRefs containing Certificate Revocation Lists. object[] no
validationMode defines whether only the leaf certificate or also the CA certs should be checked. enum no VerifyChain VerifyChain, VerifyLeafCertOnly

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[]

Field Description Type Required Default Allowed Values
secretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. object yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[].secretRef

Field Description Type Required Default Allowed Values
name of the resource string yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.certificatePinning

Field Description Type Required Default Allowed Values
allowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.		 string[] no
allowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.		 string[] no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA

Field Description Type Required Default Allowed Values
certificates defines the list of secretRefs containing trusted CA certificates. object[] yes
verificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.		 int32 no 1 [0, 2147483647]

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[]

Field Description Type Required Default Allowed Values
secretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. object yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[].secretRef

Field Description Type Required Default Allowed Values
name of the resource string yes

OIDCProvider.spec.static.endpoints.token.tls.protocol

Field Description Type Required Default Allowed Values
maximum supported TLS version. enum no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
minimum supported TLS version. enum no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

OIDCProvider.spec.static.endpoints.token.timeouts

Field Description Type Required Default Allowed Values
connect specifies the timeout for establishing a connection. string (duration) no 5s See link
maxDuration specifies the response timeout. string (duration) no 15s See link

OIDCProvider.spec.static.tokenValidation

Field Description Type Required Default Allowed Values
idToken configures validation for the OIDC ID Token. object yes

OIDCProvider.spec.static.tokenValidation.idToken

Field Description Type Required Default Allowed Values
signatureVerification specifies how to verify the ID Token signature. object yes disabled{}, jwksRef{}

OIDCProvider.spec.static.tokenValidation.idToken.signatureVerification

Field Description Type Required Default Allowed Values
disabled specifies to skip verification of the JWT signature. Not recommended for production environments. object no {}
jwksRef specifies the JWKS to use for verifying the JWT signature (usually provided by the OpenID Provider). object no

OIDCProvider.spec.static.tokenValidation.idToken.signatureVerification.jwksRef

Field Description Type Required Default Allowed Values
name of the resource string yes