OIDCRelyingParty
microgateway.airlock.com/v1alpha1
OIDCRelyingParty defines an OpenID Connect Relying Party (OIDC RP) configuration for interacting with an OpenID Provider (OP) to authenticate users via an OpenID Connect flow.
Info
The OIDC feature requires SessionHandling to be configured in the SidecarGateway.
apiVersion: microgateway.airlock.com/v1alpha1
kind: OIDCRelyingParty
metadata:
name: oidc-rp-example
spec:
oidcProviderRef:
name: example-provider
clientID: my-id
scopes:
- openid
- profile
- email
- roles
credentials:
clientSecret:
method: BasicAuth
secretRef:
name: client-password
pathMapping:
logoutPath:
matcher:
exact: /logout
redirectPath:
matcher:
exact: /callback
redirectURI: "%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback"
flowTimeout: 7mOIDCRelyingParty
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired OIDC relying party configuration. | object | yes |
OIDCRelyingParty.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientID | specifies the OIDCRelyingParty “client_id”. | string | yes | ||
| credentials | used for client authentication on the back-channel with the authorization server. | object | yes | ||
| flowTimeout | specifies the time window within which an initiated OIDC flow can be completed by the client. | string | no | 5m |
See link |
| oidcProviderRef | selects the OpenID Provider (OP) used to authenticate users. | object | yes | ||
| pathMapping | configures the action matching. | object | yes | ||
| redirectURI | configures the “redirect_uri” parameter included in the authorization request. May contain envoy command operators, e.g.: %REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches requests to this URI. |
string | yes | ||
| scopes | specifies the scopes to request during the OIDC flow. The mandatory openid scope is implicitly added to the list if not already present. Default: ['openid', 'profile'] Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now. |
string[] | no |
OIDCRelyingParty.spec.credentials
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientSecret | authenticates with the client password issued by the OpenID Provider (OP). | object | yes |
OIDCRelyingParty.spec.credentials.clientSecret
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| method | specifies in which format the client secret is sent with the authorization request. | enum | no | BasicAuth |
BasicAuth, FormURLEncoded |
| secretRef | specifies the kubernetes secret containing the client password with key “client.secret”. | object | yes |
OIDCRelyingParty.spec.credentials.clientSecret.secretRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
OIDCRelyingParty.spec.oidcProviderRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
OIDCRelyingParty.spec.pathMapping
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| logoutPath | specifies which request paths should initiate a logout. WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests. |
object | yes | ||
| redirectPath | specifies which request paths should be interpreted as a callback redirect from the authorization endpoint. WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests. |
object | yes |
OIDCRelyingParty.spec.pathMapping.logoutPath
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
OIDCRelyingParty.spec.pathMapping.logoutPath.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
OIDCRelyingParty.spec.pathMapping.redirectPath
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
OIDCRelyingParty.spec.pathMapping.redirectPath.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |