mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 16:03:41 +00:00
ea2aa27f15
* rename to overview * wip * wip * wip * wip * wip * wip * examples * ts example * wip with grafana * add grafana tutorial * screenshots and grafana * figure out oauth proxy * authz oauth proxy * move img * merge from master * reviewed documentation * reviewed documentation * wip * wip * wip * wip * wip * wip * examples * ts example * wip with grafana * screenshots and grafana * figure out oauth proxy * authz oauth proxy * move img * merge from master * cleaned up name for management roles * corrected small typo in code * Intro for orgs, spelling, ref to mgmt roles * removed inline comments * Update 00-quick-start.en.md * Update 02-organisations.en.md * Update site/docs/administrate/03-projects.en.md Co-authored-by: Florian Forster <florian@caos.ch> * Update 03-projects.en.md * Update 04-clients.en.md * Update site/docs/administrate/07-policies.en.md Co-authored-by: Florian Forster <florian@caos.ch> * Update 09-authorizations.en.md Co-authored-by: Florian Forster <florian@caos.ch>
128 lines
3.5 KiB
Markdown
128 lines
3.5 KiB
Markdown
---
|
|
title: Proxy / WAF
|
|
description: ...
|
|
---
|
|
|
|
### Proxy Protocol and Flow recommendation
|
|
|
|
### Ambassador Example
|
|
|
|
According to [https://www.getambassador.io/docs/latest/](https://www.getambassador.io/docs/latest/) Ambassador is a:
|
|
|
|
>The Ambassador Edge Stack is a comprehensive, self-service edge stack and API Gateway for Kubernetes built on Envoy Proxy. The shift to Kubernetes and microservices has profound consequences for the capabilities you need at the edge, as well as how you manage the edge. The Ambassador Edge Stack has been engineered with this world in mind.
|
|
|
|
You can use **ZITADEL** for Authentication and Authorization with **Ambassador**.
|
|
|
|
> The redirect URI is `https://{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint`
|
|
|
|
#### Use Ambassador to Authenticate with ZITADEL
|
|
|
|
With this you can use Ambassador to initiate the Authorization Code Flow.
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: Filter
|
|
metadata:
|
|
name: zitadel-filter
|
|
namespace: default
|
|
spec:
|
|
OAuth2:
|
|
authorizationURL: https://accounts.zitadel.ch/oauth/v2/authorize
|
|
clientID: {ZITADEL_GENERATED_CLIENT_ID}
|
|
secret: {ZITADEL_GENERATED_CLIENT_SECRET}
|
|
protectedOrigins:
|
|
- origin: https://{PROTECTED_URL}
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: FilterPolicy
|
|
metadata:
|
|
name: zitadel-policy
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: "*"
|
|
path: /backend/get-quote/
|
|
filters:
|
|
- name: zitadel-filter
|
|
```
|
|
|
|
#### Use Ambassador to check JWT Bearer Tokens
|
|
|
|
If you would like **Ambassador** to verify a JWT token from the authorization header you can do so by configuring **ZITADEL's** endpoints.
|
|
|
|
> Make sure that in your client settings of **ZITADEL** the "AuthToken Options" is **JWT** by default **ZITADEL** will use opaque tokens!
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: Filter
|
|
metadata:
|
|
name: zitadel-filter
|
|
namespace: default
|
|
spec:
|
|
JWT:
|
|
jwksURI: "https://api.zitadel.ch/oauth/v2/keys"
|
|
validAlgorithms:
|
|
- "RS256"
|
|
issuer: "https://issuer.zitadel.ch"
|
|
requireIssuer: true
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: FilterPolicy
|
|
metadata:
|
|
name: zitadel-policy
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: "*"
|
|
path: /backend/get-quote/
|
|
filters:
|
|
- name: zitadel-filter
|
|
```
|
|
|
|
> Additional Infos can be found with [Ambassadors Documentation](https://www.getambassador.io/docs/latest/howtos/oauth-oidc-auth/)
|
|
|
|
### OAuth2 Proxy Example
|
|
|
|
[OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a project which allows services to delegate the authentication flow to a IDP, for example **ZITADEL**
|
|
|
|
#### OAuth2 Proxy Authentication Example
|
|
|
|
```toml
|
|
provider = "oidc"
|
|
user_id_claim = "sub" #uses the subject as ID instead of the email
|
|
provider_display_name = "ZITADEL"
|
|
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
|
|
oidc_issuer_url = "https://issuer.zitadel.ch"
|
|
upstreams = [
|
|
"https://example.corp.com"
|
|
]
|
|
email_domains = [
|
|
"*"
|
|
]
|
|
client_id = "{ZITADEL_GENERATED_CLIENT_ID}"
|
|
client_secret = "{ZITADEL_GENERATED_CLIENT_SECRET}"
|
|
pass_access_token = true
|
|
cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
|
|
skip_provider_button = true
|
|
cookie_secure = false #localdev only false
|
|
http_address = "127.0.0.1:4180" #localdev only
|
|
```
|
|
|
|
> This was tested with version `oauth2-proxy v6.1.1 (built with go1.14.2)`
|
|
|
|
#### OAuth2 Proxy Authorization Example
|
|
|
|
> Not yet supported but with the work of [https://github.com/oauth2-proxy/oauth2-proxy/pull/797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) it should be possible in the future
|
|
|
|
### Cloudflare Access Example
|
|
|
|
> TODO
|
|
|
|
### NGINX Example
|
|
|
|
> TODO
|