OIDC

Authentication

Gloo supports authentication with external OpenID Connect (OIDC) identity providers. In this document we will show how to setup google account login for your application via gloo. This document is here to get you started and does not cover everything you need to (like setting up a domain and SSL certificates)

Setup

Gloo supports authentication via Envoy’s external auth feature. First, make sure that gloo is configured, with the auth add-on:

kubectl get settings -n gloo-system default -o yaml

It should look like this:

apiVersion: gloo.solo.io/v1
kind: Settings
metadata:
  name: default
  namespace: gloo-system
spec:
  bindAddr: 0.0.0.0:9977
  devMode: true
  discoveryNamespace: gloo-system
  extensions:
    configs:
      extauth:
        extauthzServerRef:
          name: extauth
          namespace: gloo-system
  kubernetesArtifactSource: {}
  kubernetesConfigSource: {}
  kubernetesSecretSource: {}
  refreshRate: 60s

If it’s not configured, add it with this command (this assumes that it was installed with the default settings):

glooctl edit settings --namespace gloo-system --name default  externalauth --extauth-server-namespace gloo-system --extauth-server-name extauth

Create google OAuth credentials

Go to https://console.developers.google.com/apis/credentials/consent and write an Application name. Then, go to https://console.developers.google.com/apis/credentials/ and:

For your convenience, set the client id and secret in environment variables:

CLIENT_ID=825...imq.apps.googleusercontent.com
CLIENT_SECRET=CCh...lmT

Configure Gloo

Network

Note that since we didn’t register any URL with Google, for security reasons, they will only allow authentication with applications running on localhost. We can make the gloo gateway available in localhost using kubectl port-forward:

kubectl port-forward -n gloo-system deploy/gateway-proxy 8080

Configuration

First, let’s create a secret with the client secret:

glooctl create secret --namespace gloo-system --name google oauth --client-secret $CLIENT_SECRET

Create a virtual service, and add the open id connect information to it:

glooctl create virtualservice --namespace gloo-system --name default --enable-oidc-auth \
--oidc-auth-client-secret-name google \
--oidc-auth-client-secret-namespace gloo-system \
--oidc-auth-issuer-url https://accounts.google.com \
--oidc-auth-client-id $CLIENT_ID \
--oidc-auth-app-url http://localhost:8080/ \
--oidc-auth-callback-path /callback

In addition to the Client ID and secret, the following parameters are provided:

Add the appropriate routes in the virtual service for your application.

Note: you can disable authentication on specific routes (this can be useful for example, for the login page itself)

That’s it! Go in to http://localhost:8080 and try it!