ea2aa27f15
* rename to overview * wip * wip * wip * wip * wip * wip * examples * ts example * wip with grafana * add grafana tutorial * screenshots and grafana * figure out oauth proxy * authz oauth proxy * move img * merge from master * reviewed documentation * reviewed documentation * wip * wip * wip * wip * wip * wip * examples * ts example * wip with grafana * screenshots and grafana * figure out oauth proxy * authz oauth proxy * move img * merge from master * cleaned up name for management roles * corrected small typo in code * Intro for orgs, spelling, ref to mgmt roles * removed inline comments * Update 00-quick-start.en.md * Update 02-organisations.en.md * Update site/docs/administrate/03-projects.en.md Co-authored-by: Florian Forster <florian@caos.ch> * Update 03-projects.en.md * Update 04-clients.en.md * Update site/docs/administrate/07-policies.en.md Co-authored-by: Florian Forster <florian@caos.ch> * Update 09-authorizations.en.md Co-authored-by: Florian Forster <florian@caos.ch>
3.5 KiB
| title | description |
|---|---|
| Proxy / WAF | ... |
Proxy Protocol and Flow recommendation
Ambassador Example
According to https://www.getambassador.io/docs/latest/ Ambassador is a:
The Ambassador Edge Stack is a comprehensive, self-service edge stack and API Gateway for Kubernetes built on Envoy Proxy. The shift to Kubernetes and microservices has profound consequences for the capabilities you need at the edge, as well as how you manage the edge. The Ambassador Edge Stack has been engineered with this world in mind.
You can use ZITADEL for Authentication and Authorization with Ambassador.
The redirect URI is
https://{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint
Use Ambassador to Authenticate with ZITADEL
With this you can use Ambassador to initiate the Authorization Code Flow.
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: zitadel-filter
namespace: default
spec:
OAuth2:
authorizationURL: https://accounts.zitadel.ch/oauth/v2/authorize
clientID: {ZITADEL_GENERATED_CLIENT_ID}
secret: {ZITADEL_GENERATED_CLIENT_SECRET}
protectedOrigins:
- origin: https://{PROTECTED_URL}
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: zitadel-policy
namespace: default
spec:
rules:
- host: "*"
path: /backend/get-quote/
filters:
- name: zitadel-filter
Use Ambassador to check JWT Bearer Tokens
If you would like Ambassador to verify a JWT token from the authorization header you can do so by configuring ZITADEL's endpoints.
Make sure that in your client settings of ZITADEL the "AuthToken Options" is JWT by default ZITADEL will use opaque tokens!
apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: zitadel-filter
namespace: default
spec:
JWT:
jwksURI: "https://api.zitadel.ch/oauth/v2/keys"
validAlgorithms:
- "RS256"
issuer: "https://issuer.zitadel.ch"
requireIssuer: true
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: zitadel-policy
namespace: default
spec:
rules:
- host: "*"
path: /backend/get-quote/
filters:
- name: zitadel-filter
Additional Infos can be found with Ambassadors Documentation
OAuth2 Proxy Example
OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL
OAuth2 Proxy Authentication Example
provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
oidc_issuer_url = "https://issuer.zitadel.ch"
upstreams = [
"https://example.corp.com"
]
email_domains = [
"*"
]
client_id = "{ZITADEL_GENERATED_CLIENT_ID}"
client_secret = "{ZITADEL_GENERATED_CLIENT_SECRET}"
pass_access_token = true
cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
skip_provider_button = true
cookie_secure = false #localdev only false
http_address = "127.0.0.1:4180" #localdev only
This was tested with version
oauth2-proxy v6.1.1 (built with go1.14.2)
OAuth2 Proxy Authorization Example
Not yet supported but with the work of https://github.com/oauth2-proxy/oauth2-proxy/pull/797 it should be possible in the future
Cloudflare Access Example
TODO
NGINX Example
TODO