This feature is supported in Ambassador Pro. Ambassador Pro helps developers and operators accelerate their adoption of Kubernetes.

Register here to get started with a free trial of Ambassador Pro.

Configuring OAuth/OIDC Authentication


Ambassador Pro adds native support for the OAuth and OIDC authentication schemes for single sign-on with various identity providers (IDPs). This guide will demonstrate configuration using the Auth0 IDP.

Note: If you need to use an IDP other than Auth0, please contact us. We are currently testing support for other IDPs, including Keycloak, Okta, and AWS Cognito.

Configuring Environment Variables

Auth0 integration supports two different configuration patterns. The default configuration integrates Auth0 with Ambassador Pro without verification from the Auth0 management API. If you want the Auth0 management API to verify your application configuration, follow the validation mode configuration.

Auth0 Default Configuration

Integrating Auth0 with the Ambassador Pro Authentication service is done by setting evironment variables in the deployment manifest. In your deployment file, configure the AUTH_CALLBACK_URL, AUTH_DOMAIN, AUTH_AUDIENCE, and AUTH_CLIENT_ID environment variables based on your Auth0 configuration. (You'll need to create an Auth0 custom API if you haven't already.)

  • AUTH_DOMAIN is your Auth0 domain, e.g., foo.auth0.com.
  • AUTH_CLIENT_ID is the client ID of your application.
  • AUTH_AUDIENCE is listed on the API page https://manage.auth0.com/#/apis
  • AUTH_CALLBACK_URL is the URL where you want to send users once they've authenticated.

Configuration

  • AUTH_DOMAIN = datawire-ambassador.auth0.com
  • AUTH_CLIENT_ID = vdrLZ8Y6AASktot75tCaAif4u9xrrE_g

  1. Configure the environment variables with the correct values, e.g.,
env:
- name: AUTH_CALLBACK_URL
  value: https://datawire-ambassador.com/callback
- name: AUTH_DOMAIN
  value: datawire-ambassador.auth0.com
- name: AUTH_AUDIENCE
  value: https://datawire-ambassador.auth0.com/api/v2/
- name: AUTH_CLIENT_ID
  value: vdrLZ8Y6AASktot75tCaAif4u9xrrE_g
  1. Set Token Endpoint Authentication Method to None.
  2. Add the value of AUTH_CALLBACK_URL to Allowed Callback URLs.
  3. Add your domain to Allowed Web Origins.
  4. Deploy your Ambassador Pro configuration to the cluster: kubectl apply -f ambassador-pro-auth.yaml. This will:

    • Create the Ambassador Pro deployment and appropriate cluster resources
    • Create a Policy custom resource definition that will be used to manage access control
  5. Test the application.

Auth0 Validation Mode Configuration

When deployed in validation mode, Ambassador Pro will validate configuration via the Auth0 management API. In the future, we may add more automatic configuration via the management API.

Configuration

The AUTH_CALLBACK_URL, AUTH_DOMAIN, AUTH_AUDIENCE and AUTH_CLIENT_ID environment variables need to be configured, same as the default configuration. An extra environment variable, AUTH_CLIENT_SECRET is also required for the validation configuration.

  1. Configure the environment variables with the correct values, e.g.,
env:
- name: AUTH_CALLBACK_URL
  value: https://datawire-ambassador.com/callback
- name: AUTH_DOMAIN
  value: datawire-ambassador.auth0.com
- name: AUTH_AUDIENCE
  value: https://datawire-ambassador.auth0.com/api/v2/
- name: AUTH_CLIENT_ID
  value: vdrLZ8Y6AASktot75tCaAif4u9xrrE_g
- name: AUTH_CLIENT_SECRET
  value: <CLIENT SECRET>
  1. Set Token Endpoint Authentication Method to POST.
  2. Add the value of AUTH_CALLBACK_URL to Allowed Callback URLs.
  3. Add your domain to Allowed Web Origins.

  1. Authorize the application to access Auth0 management api (APIs/Machine to Machine Applications/click the dropdown) and following scopes have been granted:

    • read:clients
    • read:grants
  2. Set the following grant types (Applications/Advanced Settings/Grant Types):

    • Authorization Code
    • Client Credentials
  3. Deploy your Ambassador Pro configuration to the cluster: kubectl apply -f ambassador-pro-auth.yaml. This will:

    • Create the Ambassador Pro deployment and appropriate cluster resources
    • Create a Policy custom resource definition that will be used to manage access control
  4. Test the application.

Test the Auth0 Application

Authentication policies are managed by the policy CRD we deployed in the configuration step. We can deploy an authentication policy and test this Auth0 application using the example httpbin service in the YAML installation guide.

  1. If applied, delete the Ambassador Pro authentication service.

  2. Deploy the httpbin service.

  3. Verify the service is working:

    $ curl http://$AMBASSADOR_IP/httpbin/ip
    {
    "origin": "35.205.31.151"
    }
    $ curl http://$AMBASSADOR_IP/httpbin/user-agent
    {
    "user-agent": "curl/7.54.0"
    }
  4. Deploy Ambasador Pro Authentication

$ kubectl apply -f ambassador-pro-auth.yaml
$ kubectl apply -f ambassador-pro-auth-service.yaml
  1. Resend the curl requests, you will notice it now requires authentication.

  2. Deploy an httpbin authentication policy. Refer to the Access Control documentation for more information.

    apiVersion: stable.datawire.io/v1beta1
    kind: Policy
    metadata:
     name: httpbin-policy
    spec:
     rules:
      - host: "*"
        path: /callback
        public: true
      - host: "*"
        path: /httpbin/ip
        public: true
      - host: "*"
        path: /httpbin/user-agent/*
        public: false
      - host: "*"
        path: /httpbin/headers/*
        scopes: "read:test"
  3. Test the policy worked with cURL:

    $ curl http://$AMBASSADOR_IP/httpbin/ip
    {
    "origin": "35.205.31.151"
    }
    $ curl http://$AMBASSADOR_IP/httpbin/user-agent
    <a href="https://xxx.auth0.com/authorize?audience=https://xxx.auth0.com/api/v2/&amp;response_type=code&amp;redirect_uri=http://35.226.13.0/callback&amp;client_id=Z6m3lwCot6GaThT4L142nkOKNPeDe87n&amp;state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MzY2OTQ2MjglhdCI6MUzNjY5NDMyOCwianRpIjoiN2FjOThjZTQtYjdjZi00NTU3LTlkYTEtZGJjNzZjYzNjZjg4IiwibmJmIjowLCJwYXRoIjoiL2h0dHBiaW4vdXNi1hZ2VudCJ9.NtBA5deqPn5XI7vonca4tpgYNrM-212TiQhTZ_KzWos&amp;scope=offline_access openid profile">See Other</a>
  4. Visit http://$AMBASSADOR_IP/httpbin/user-agent and you should be redirected to an Auth0 log in page.

  5. If you want to test with a JWT, you can get a JWT from Auth0. To do this, click on APIs, then the custom API you're using for the Ambassador Authentication service, and then the Test tab. Pass the JWT in the authorization: Bearer HTTP header:

   $ curl --header 'authorization: Bearer eyeJdfasdf...' http://$AMBASSADOR_IP/httpbin/user-agent
   {
     "user-agent": "curl/7.54.0"
   }