User Authentication with OIDC
This guide provides step-by-step instructions on integrating OIDC (OpenID Connect) authentication with Tetrate Service Bridge (TSB) for user authentication. We will illustrate this process using the Bookinfo application deployed on TSB as a practical example. This scenario will help you understand how to configure OIDC with TSB and ensure secure user access to applications managed by TSB.
Prerequisites
Before you begin, ensure you have:
- Installed the TSB management plane.
- Onboarded a cluster.
- Set up an Identity Provider (IDP) and created a client application that use OIDC authorization code flow.
- Completed the TSB usage quickstart, including deploying the Bookinfo application and configuring the Gateway to access Bookinfo.
Currently, TSB only supports the authorization code flow for OIDC.
OIDC Authentication Code Flow
The following sequence chart describes the steps for a user to access the Bookinfo application through OIDC authentication.
- User access request: The user attempts to access the Bookinfo application through a configured OIDC-enabled gateway.
- Redirect to Identity Provider (IDP): If the user is not authenticated, the gateway redirects the user to the IDP login page.
- User authentication: The user completes the login process on the IDP's page.
- Obtain authentication token: Upon successful authentication, the IDP issues an authentication token to the user.
- Redirect back to the gateway: The user returns to the gateway with the authentication token.
- Gateway token validation: The gateway validates the token's validity and determines the user's access permissions.
- Grant access: Once validation is successful, the gateway allows the user to access the Bookinfo application.
Step 1: Create OIDC Client Secret
Create a Kubernetes secret containing the OIDC client credentials. The gateway will use this secret to authenticate with the Identity Provider.
The OIDC secret should be created in the same namespace as your gateway. In this example, the gateway is deployed in the bookinfo
namespace as per the quickstart guide.
apiVersion: v1
kind: Secret
metadata:
name: oidc-secret
namespace: bookinfo
data:
istio_generic_secret: <base64-encoded-client-secret>
type: Opaque
Step 2: Add OIDC Configuration to the Gateway
Next, add the OIDC configuration to the gateway. This includes the Identity provider OIDC URLs, client ID, and the client secret stored as a Kubernetes secret created in the previous step.
These URLs are provided by your Identity provider. Refer to your Identity provider OIDC documentation for more details.
apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 8443
hostname: bookinfo.tetrate.com
tls:
mode: SIMPLE
secretName: bookinfo-certs
authentication:
oidc:
clientId: <oidc-client-name>
clientTokenSecret: oidc-secret
redirectUri: https://bookinfo.tetrate.com/bearer
provider:
issuer: https://oidc.example.com/issuer
authorizationEndpoint: https://oidc.example.com/auth
tokenEndpoint: https://oidc.example.com/token
jwksUri: https://oidc.example.com/jwks
routing:
rules:
- route:
serviceDestination:
host: 'bookinfo/productpage.bookinfo.svc.cluster.local'
If your OIDC provider requires a specific TLS configuration, you can add the tls
field to the OIDC configuration. If not specified, TSB uses the system default CA certificates for TLS verification.
authentication:
oidc:
clientId: <oidc-client-name>
clientTokenSecret: oidc-secret
redirectUri: https://bookinfo.tetrate.com/bearer
provider:
issuer: https://oidc.example.com/issuer
authorizationEndpoint: https://oidc.example.com/auth
tokenEndpoint: https://oidc.example.com/token
jwksUri: https://oidc.example.com/jwks
tls:
mode: SIMPLE
secretName: oidc-tls-secret
For more details on the OIDC configuration, refer to OIDCConfig and OIDCProviderConfig in the TSB API reference.
Step 3: Verify OIDC Authentication
Finally, access the Bookinfo application through the gateway hostname https://bookinfo.tetrate.com
. You should be redirected to the Identity provider's login page. Upon successful authentication, you will be redirected back to the Bookinfo application, confirming the successful integration of OIDC authentication with your TSB deployment.