OIDCProvider

microgateway.airlock.com/v1alpha1

OIDCProvider specifies an OpenID Provider (OP).

Info

The OIDC feature requires SessionHandling to be configured in the SidecarGateway. 

apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
  name: oidc-provider-example
spec:
  static:
    issuer: https://iam.airlock.com/
    endpoints:
      authorization:
        uri: https://iam.airlock.com/authorize
      token:
        uri: https://iam.airlock.com/token
      introspection:
        uri: https://iam.airlock.com/introspection
    tokenValidation:
      idToken:
        signatureVerification:
          jwksRef:
            name: jwks-example
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCProvider
metadata:
  name: default

OIDCProvider

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of an OpenID Provider. yes static{}

OIDCProvider.spec

Field Type Description Required Default Allowed Values
static object Static configures an OpenID Provider by explicitly specifying all endpoints. no

OIDCProvider.spec.static

Field Type Description Required Default Allowed Values
endpoints object Endpoints specifies the OpenID Provider endpoints. yes
issuer string Issuer specifies the unique identifier of the OIDC Provider, which is used e.g. for signature verification. yes
tokenValidation object TokenValidation configures token validation. yes

OIDCProvider.spec.static.endpoints

Field Type Description Required Default Allowed Values
authorization object Authorization specifies the endpoint to which the authorization request is sent. yes
introspection object Introspection configures the endpoint to which the introspection request to validate access tokens is sent. no
token object Token configures the endpoint from which the access, ID and refresh tokens are obtained. yes

OIDCProvider.spec.static.endpoints.authorization

Field Type Description Required Default Allowed Values
uri string URI specifies the endpoint address. yes

OIDCProvider.spec.static.endpoints.introspection

Field Type Description Required Default Allowed Values
timeouts object Timeouts specifies the timeouts when interacting with the Token endpoint. no
tls object TLS defines TLS settings. no
uri string URI specifies the endpoint address. yes

OIDCProvider.spec.static.endpoints.introspection.tls

Field Type Description Required Default Allowed Values
certificateVerification object CertificateVerification specifies how the certificate presented by the server is verified. no publicCAs{...} custom{}, disabled{}, publicCAs{}
ciphers string[] Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. no
protocol object Protocol defines the supported TLS protocol versions. no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification

Field Type Description Required Default Allowed Values
custom object Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.		 no
disabled object Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.		 no
publicCAs object PublicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom

Field Type Description Required Default Allowed Values
allowedSANs object[] AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.		 no
certificatePinning object CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.		 no
crl object CRL defines the Certificate Revocation List (CRL) settings. no
trustedCA object TrustedCA defines which CA certificates are trusted. no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.allowedSANs[]

Field Type Description Required Default Allowed Values
matcher object Matcher defines the string matcher for the SAN value. yes contains{}, exact{}, prefix{}, regex{}, suffix{}
sanType enum SanType defines the type of SAN matcher. yes DNS, Email, IPAddress, URI

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.allowedSANs[].matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl

Field Type Description Required Default Allowed Values
lists object[] Lists defines the list of secretRefs containing Certificate Revocation Lists. no
validationMode enum ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. no VerifyChain VerifyChain, VerifyLeafCertOnly

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl.lists[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.crl.lists[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.certificatePinning

Field Type Description Required Default Allowed Values
allowedHashes string[] AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.		 no
allowedSPKIs string[] AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.		 no

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA

Field Type Description Required Default Allowed Values
certificates object[] Certificates defines the list of secretRefs containing trusted CA certificates. yes
verificationDepth uint32 VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.		 no 1 [0, 4294967295]

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA.certificates[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. yes

OIDCProvider.spec.static.endpoints.introspection.tls.certificateVerification.custom.trustedCA.certificates[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.introspection.tls.protocol

Field Type Description Required Default Allowed Values
maximum enum Maximum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
minimum enum Minimum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

OIDCProvider.spec.static.endpoints.introspection.timeouts

Field Type Description Required Default Allowed Values
connect string (duration) Connect specifies the timeout for establishing a connection. no 5s See link
maxDuration string (duration) MaxDuration specifies the response timeout. no 15s See link

OIDCProvider.spec.static.endpoints.token

Field Type Description Required Default Allowed Values
timeouts object Timeouts specifies the timeouts when interacting with the Token endpoint. no
tls object TLS defines TLS settings. no
uri string URI specifies the endpoint address. yes

OIDCProvider.spec.static.endpoints.token.tls

Field Type Description Required Default Allowed Values
certificateVerification object CertificateVerification specifies how the certificate presented by the server is verified. no publicCAs{...} custom{}, disabled{}, publicCAs{}
ciphers string[] Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. no
protocol object Protocol defines the supported TLS protocol versions. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification

Field Type Description Required Default Allowed Values
custom object Custom explicitly specifies how the server certificate should be verified.
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.		 no
disabled object Disabled specifies to trust any certificate without verification.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.		 no
publicCAs object PublicCAs specifies to only accept certificates with a SAN matching “uri” and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine’s base image. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom

Field Type Description Required Default Allowed Values
allowedSANs object[] AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
that is to say, the SAN is verified if at least one matcher is matched.
AllowedSANs requires trustedCA to be set.		 no
certificatePinning object CertificatePinning defines constraints the presented certificate must fulfill.
If more than one constraint is configured only one must be satisfied.
At least one of allowedSPKIs and allowedHashes must be set.		 no
crl object CRL defines the Certificate Revocation List (CRL) settings. no
trustedCA object TrustedCA defines which CA certificates are trusted. no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[]

Field Type Description Required Default Allowed Values
matcher object Matcher defines the string matcher for the SAN value. yes contains{}, exact{}, prefix{}, regex{}, suffix{}
sanType enum SanType defines the type of SAN matcher. yes DNS, Email, IPAddress, URI

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.allowedSANs[].matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl

Field Type Description Required Default Allowed Values
lists object[] Lists defines the list of secretRefs containing Certificate Revocation Lists. no
validationMode enum ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. no VerifyChain VerifyChain, VerifyLeafCertOnly

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CRL’s (in PEM format) under the key ‘ca.crl’. yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.crl.lists[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.certificatePinning

Field Type Description Required Default Allowed Values
allowedHashes string[] AllowedHashes is a list of hex-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.		 no
allowedSPKIs string[] AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.		 no

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA

Field Type Description Required Default Allowed Values
certificates object[] Certificates defines the list of secretRefs containing trusted CA certificates. yes
verificationDepth uint32 VerificationDepth specifies the hops in the certificate chain at which validation is performed.
1 means that either the leaf or the signing CA must be in the set of trusted certificates.		 no 1 [0, 4294967295]

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[]

Field Type Description Required Default Allowed Values
secretRef object SecretRef defines the reference to a secret containing one or more CA certificates under the key ‘ca.crt’. yes

OIDCProvider.spec.static.endpoints.token.tls.certificateVerification.custom.trustedCA.certificates[].secretRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

OIDCProvider.spec.static.endpoints.token.tls.protocol

Field Type Description Required Default Allowed Values
maximum enum Maximum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
minimum enum Minimum supported TLS version. no TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3

OIDCProvider.spec.static.endpoints.token.timeouts

Field Type Description Required Default Allowed Values
connect string (duration) Connect specifies the timeout for establishing a connection. no 5s See link
maxDuration string (duration) MaxDuration specifies the response timeout. no 15s See link

OIDCProvider.spec.static.tokenValidation

Field Type Description Required Default Allowed Values
idToken object IDToken configures validation for the OIDC ID Token. yes

OIDCProvider.spec.static.tokenValidation.idToken

Field Type Description Required Default Allowed Values
signatureVerification object SignatureVerification specifies how to verify the ID Token signature. yes disabled{}, jwksRef{}

OIDCProvider.spec.static.tokenValidation.idToken.signatureVerification

Field Type Description Required Default Allowed Values
disabled object Disabled specifies to skip verification of the JWT signature. Not recommended for production environments. no
jwksRef object JWKSRef specifies the JWKS to use for verifying the JWT signature (usually provided by the OpenID Provider). no

OIDCProvider.spec.static.tokenValidation.idToken.signatureVerification.jwksRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes