Skip to main content
logoTetrate Enterprise Gateway for Envoy (TEG)Version: v1.0.x

Secure Your App

OIDC

TEG offers seamless single sign-on (SSO) integration through OIDC. With TEG, you can effortlessly link your application to any OIDC identity provider using the straightforward SecurityPolicy. This enables instant authentication for your application, all without the need to make any code modifications. See the upstream guide for details.

Authorization

The upstream guide details authentication: users are required to prove who they are.

You may also wish to authorize users; to make access control decisions based on details provided by the OIDC IdP (Identity Provider). When the user has been authenticated by the gateway, several pieces of information are known about them, probably including their name and email address, and possibly custom info from the Identity Provider like group memberships or an admin flag. The OIDC provider sends this info to TEG in a format called a JWT. TEG forwards that JWT to your service so that your code can inspect it and make its own authorization decisions.

JWT

TEG can also authenticate using "raw" JWTs; if your clients provide JWTs in the Authentication header, rather than them being injected by an OIDC flow. See the upstream guide for details.

Authorization

As with OIDC-sourced JWTs, your apps are free to inspect them to make authorization decisions.

In addition, when directly configuring JWT authentication, there are a few more settings we can change. One of these causes headers to be injected into the request from values ("claims") in the JWT. This can make it easier for your apps to access these values, include them in access logs, etc. Header injection is configured in the SecurityPolicy resource thus:

kind: SecurityPolicy
...
spec:
...
jwt:
providers:
- ...
claimToHeaders:
- claim: sub
header: x-claim-subject
- claim: name
header: x-claim-name