mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 15:53:39 +00:00
27be460c07
* onboarding components, routing, steps * onboarding component, toc * fix onboarding mixin * header * refactor docs * fix layout * cleanup routing * docs routing * fix conventions * de en routing * docs, guide contents, nav * rem i18n support * fix routing from docs * rollup onwarn changes, preload * update svelte plugin, update rollup config * move docs * revert img style, remove code table * rem de completely * rollup optim, template * angular quickstart, quickstart overview page, update deps * fix link * pack, slug * prefetch binding, hidden links * export log * guards route ch * fix homepage * angular docs * docs * resolve fsh * overview * docs * docs * packages fix race condition * nav, home link * add vue, aspnet * doc optimizations * embed status pal * angular guide * angular guide * dotnet, angular guide * viewbox * typo * block onboarding route for non iam writers * set links from component data * fix: fetch org context in guard, more main cnt (#1192) * change get started guide, fix code blockquotes, typos * flutter guide * h2 spacing * highlight strong * plus * rm start sublinks * add proxy quickstart * regex * prevent outside click, fix project grant write Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
128 lines
3.5 KiB
Markdown
128 lines
3.5 KiB
Markdown
---
|
|
title: Proxy / WAF
|
|
description: ...
|
|
---
|
|
|
|
### Proxy Protocol and Flow recommendation
|
|
|
|
### Ambassador Example
|
|
|
|
According to [https://www.getambassador.io/docs/latest/](https://www.getambassador.io/docs/latest/) Ambassador is a:
|
|
|
|
>The Ambassador Edge Stack is a comprehensive, self-service edge stack and API Gateway for Kubernetes built on Envoy Proxy. The shift to Kubernetes and microservices has profound consequences for the capabilities you need at the edge, as well as how you manage the edge. The Ambassador Edge Stack has been engineered with this world in mind.
|
|
|
|
You can use **ZITADEL** for Authentication and Authorization with **Ambassador**.
|
|
|
|
> The redirect URI is `https://{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint`
|
|
|
|
#### Use Ambassador to Authenticate with ZITADEL
|
|
|
|
With this you can use Ambassador to initiate the Authorization Code Flow.
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: Filter
|
|
metadata:
|
|
name: zitadel-filter
|
|
namespace: default
|
|
spec:
|
|
OAuth2:
|
|
authorizationURL: https://accounts.zitadel.ch/oauth/v2/authorize
|
|
clientID: {ZITADEL_GENERATED_CLIENT_ID}
|
|
secret: {ZITADEL_GENERATED_CLIENT_SECRET}
|
|
protectedOrigins:
|
|
- origin: https://{PROTECTED_URL}
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: FilterPolicy
|
|
metadata:
|
|
name: zitadel-policy
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: "*"
|
|
path: /backend/get-quote/
|
|
filters:
|
|
- name: zitadel-filter
|
|
```
|
|
|
|
#### Use Ambassador to check JWT Bearer Tokens
|
|
|
|
If you would like **Ambassador** to verify a JWT token from the authorization header you can do so by configuring **ZITADEL's** endpoints.
|
|
|
|
> Make sure that in your client settings of **ZITADEL** the "AuthToken Options" is **JWT** by default **ZITADEL** will use opaque tokens!
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: Filter
|
|
metadata:
|
|
name: zitadel-filter
|
|
namespace: default
|
|
spec:
|
|
JWT:
|
|
jwksURI: "https://api.zitadel.ch/oauth/v2/keys"
|
|
validAlgorithms:
|
|
- "RS256"
|
|
issuer: "https://issuer.zitadel.ch"
|
|
requireIssuer: true
|
|
```
|
|
|
|
```yaml
|
|
apiVersion: getambassador.io/v2
|
|
kind: FilterPolicy
|
|
metadata:
|
|
name: zitadel-policy
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: "*"
|
|
path: /backend/get-quote/
|
|
filters:
|
|
- name: zitadel-filter
|
|
```
|
|
|
|
> Additional Infos can be found with [Ambassadors Documentation](https://www.getambassador.io/docs/latest/howtos/oauth-oidc-auth/)
|
|
|
|
### OAuth2 Proxy Example
|
|
|
|
[OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a project which allows services to delegate the authentication flow to a IDP, for example **ZITADEL**
|
|
|
|
#### OAuth2 Proxy Authentication Example
|
|
|
|
```toml
|
|
provider = "oidc"
|
|
user_id_claim = "sub" #uses the subject as ID instead of the email
|
|
provider_display_name = "ZITADEL"
|
|
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
|
|
oidc_issuer_url = "https://issuer.zitadel.ch"
|
|
upstreams = [
|
|
"https://example.corp.com"
|
|
]
|
|
email_domains = [
|
|
"*"
|
|
]
|
|
client_id = "{ZITADEL_GENERATED_CLIENT_ID}"
|
|
client_secret = "{ZITADEL_GENERATED_CLIENT_SECRET}"
|
|
pass_access_token = true
|
|
cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
|
|
skip_provider_button = true
|
|
cookie_secure = false #localdev only false
|
|
http_address = "127.0.0.1:4180" #localdev only
|
|
```
|
|
|
|
> This was tested with version `oauth2-proxy v6.1.1 (built with go1.14.2)`
|
|
|
|
#### OAuth2 Proxy Authorization Example
|
|
|
|
> Not yet supported but with the work of [https://github.com/oauth2-proxy/oauth2-proxy/pull/797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) it should be possible in the future
|
|
|
|
### Cloudflare Access Example
|
|
|
|
> TODO
|
|
|
|
### NGINX Example
|
|
|
|
> TODO
|