Single Sign-On using GitHub and Keycloak

Security

Ambassador Pro integrates with the Keycloak IDP. Using Keycloak, we can set up Single Sign-On with other OAuth providers such as GitHub. In this tutorial, we'll configure Ambassador Pro to use GitHub credentials for Single Sign-On to the httpbin service.

  1. Install Ambassador Pro

    Ambassador Pro is a commercial version of Ambassador that includes integrated Single Sign-On, powerful rate limiting, custom filters, and more. Ambassador Pro also uses a certified version of Ambassador OSS that undergoes additional testing and validation.

    1. Clone the Ambassador Pro configuration repository

      Ambassador Pro consists of a series of modules that communicate with Ambassador. The core Pro module is typically deployed as a sidecar to Ambassador. This means it is an additional process that runs on the same pod as Ambassador. Ambassador communicates with the Pro sidecar locally. Pro thus scales in parallel with Ambassador. Ambassador Pro also relies on a Redis instance for its rate limit service and several Custom Resource Definitions (CRDs) for configuration.

      For this installation, we'll start with a standard set of Ambassador Pro configuration files.

      git clone https://github.com/datawire/pro-ref-arch
    2. License Key

      Copy env.sh.example to env.sh, and add your specific license key to the env.sh file. If you don’t have a license key, you can request a free 14-day trial key now.

      Note: Ambassador Pro will not start without a valid license key.

    3. Deploy Ambassador Pro

      If you're on GKE, first, create the following ClusterRoleBinding:

      kubectl create clusterrolebinding my-cluster-admin-binding \
      --clusterrole=cluster-admin \
      --user=$(gcloud info --format="value(config.account)")
      

      Then, deploy Ambassador Pro:

      make apply-ambassador

      This make command will use kubectl to deploy Ambassador Pro and a basic test configuration to the cluster.

      Verify that Ambassador Pro is running:

      kubectl get pods | grep ambassador
      ambassador-79494c799f-vj2dv            2/2       Running            0         1h
      ambassador-pro-redis-dff565f78-88bl2   1/1       Running            0         1h
      

      Note: If you are not deploying in a cloud environment that supports the LoadBalancertype, you will need to change the ambassador/ambassador-service.yaml to a different service type (e.g., NodePort).

      By default, Ambassador Pro uses ports 8081 and 8082 for rate-limiting and filtering, respectively. If for whatever reason those assignments are problematic (perhaps you set service_port to one of those), you can set adjust these by setting environment variables:

      • GRPC_PORT: Which port to serve the RateLimitService on; 8081 by default.
      • APRO_AUTH_PORT: Which port to serve the filtering AuthService on; 8082 by default.

      If you have deployed Ambassador with AMBASSADOR_NAMESPACE, AMBASSADOR_SINGLE_NAMESPACE, or AMBASSADOR_ID set, you will also need to set them in the Pro container.

  2. Create an OAuth application in GitHub.

    • Click on your Profile photo, then choose Settings.
    • Click on Developer Settings.
    • Click on "Register a New Application".
    • The Name can be any value.
    • The Homepage URL should be set to your domain name, or you can use https://example.com if you're just testing.
    • The Authorization callback uRL should be https://${AMBASSADOR_IP}/auth/realms/demo/broker/github/endpoint.
  3. Edit your env.sh and add the CLIENT_ID and CLIENT_SECRET from GitHub:

    CLIENT_ID=<Client ID from GitHub>
    CLIENT_SECRET=<Client Secret from GitHub>
  4. Get the External-IP for your Ambassador service kubectl get svc ambassador

  5. Replace the ${AMBASSADOR_IP} values in api-auth-with-github/00-tenant.yaml

  6. Run make apply-api-auth.

  7. Go to https://${AMBASSADOR_IP}/httpbin/headers in your browser and you will be asked to login. Select the GitHub option.

Behind the scenes, we've created an OAuth authentication Filter for requests to httpbin/headers. Note that requests to other httpbin URLs, e.g., httpbin/ip do not require authentication. With this approach, we give users fine-grained control over which specific hosts and paths require authentication, and support using different authentication schemes for different URLs.

Summary

To quickly enable Single Sign-On for your application, get started with a free 14-day trial of Ambassador Pro, or contact sales today.