* onboarding components, routing, steps * onboarding component, toc * fix onboarding mixin * header * refactor docs * fix layout * cleanup routing * docs routing * fix conventions * de en routing * docs, guide contents, nav * rem i18n support * fix routing from docs * rollup onwarn changes, preload * update svelte plugin, update rollup config * move docs * revert img style, remove code table * rem de completely * rollup optim, template * angular quickstart, quickstart overview page, update deps * fix link * pack, slug * prefetch binding, hidden links * export log * guards route ch * fix homepage * angular docs * docs * resolve fsh * overview * docs * docs * packages fix race condition * nav, home link * add vue, aspnet * doc optimizations * embed status pal * angular guide * angular guide * dotnet, angular guide * viewbox * typo * block onboarding route for non iam writers * set links from component data * fix: fetch org context in guard, more main cnt (#1192) * change get started guide, fix code blockquotes, typos * flutter guide * h2 spacing * highlight strong * plus * rm start sublinks * add proxy quickstart * regex * prevent outside click, fix project grant write Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
3.5 KiB
title | description |
---|---|
Proxy / WAF | ... |
Proxy Protocol and Flow recommendation
Ambassador Example
According to https://www.getambassador.io/docs/latest/ Ambassador is a:
The Ambassador Edge Stack is a comprehensive, self-service edge stack and API Gateway for Kubernetes built on Envoy Proxy. The shift to Kubernetes and microservices has profound consequences for the capabilities you need at the edge, as well as how you manage the edge. The Ambassador Edge Stack has been engineered with this world in mind.
You can use ZITADEL for Authentication and Authorization with Ambassador.
The redirect URI is
https://{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint
Use Ambassador to Authenticate with ZITADEL
With this you can use Ambassador to initiate the Authorization Code Flow.
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: zitadel-filter
namespace: default
spec:
OAuth2:
authorizationURL: https://accounts.zitadel.ch/oauth/v2/authorize
clientID: {ZITADEL_GENERATED_CLIENT_ID}
secret: {ZITADEL_GENERATED_CLIENT_SECRET}
protectedOrigins:
- origin: https://{PROTECTED_URL}
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: zitadel-policy
namespace: default
spec:
rules:
- host: "*"
path: /backend/get-quote/
filters:
- name: zitadel-filter
Use Ambassador to check JWT Bearer Tokens
If you would like Ambassador to verify a JWT token from the authorization header you can do so by configuring ZITADEL's endpoints.
Make sure that in your client settings of ZITADEL the "AuthToken Options" is JWT by default ZITADEL will use opaque tokens!
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: zitadel-filter
namespace: default
spec:
JWT:
jwksURI: "https://api.zitadel.ch/oauth/v2/keys"
validAlgorithms:
- "RS256"
issuer: "https://issuer.zitadel.ch"
requireIssuer: true
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: zitadel-policy
namespace: default
spec:
rules:
- host: "*"
path: /backend/get-quote/
filters:
- name: zitadel-filter
Additional Infos can be found with Ambassadors Documentation
OAuth2 Proxy Example
OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL
OAuth2 Proxy Authentication Example
provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
oidc_issuer_url = "https://issuer.zitadel.ch"
upstreams = [
"https://example.corp.com"
]
email_domains = [
"*"
]
client_id = "{ZITADEL_GENERATED_CLIENT_ID}"
client_secret = "{ZITADEL_GENERATED_CLIENT_SECRET}"
pass_access_token = true
cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
skip_provider_button = true
cookie_secure = false #localdev only false
http_address = "127.0.0.1:4180" #localdev only
This was tested with version
oauth2-proxy v6.1.1 (built with go1.14.2)
OAuth2 Proxy Authorization Example
Not yet supported but with the work of https://github.com/oauth2-proxy/oauth2-proxy/pull/797 it should be possible in the future
Cloudflare Access Example
TODO
NGINX Example
TODO