Skip to main content
logoTetrate Service BridgeVersion: 1.8.x

User Authentication with OIDC

This guide provides step-by-step instructions on integrating OIDC (OpenID Connect) authentication with Tetrate Service Bridge (TSB) for user authentication. We will illustrate this process using the Bookinfo application deployed on TSB as a practical example. This scenario will help you understand how to configure OIDC with TSB and ensure secure user access to applications managed by TSB.


Before you begin, ensure you have:

Authorization Code

Currently, TSB only supports the authorization code flow for OIDC.

OIDC Authentication Code Flow

The following sequence chart describes the steps for a user to access the Bookinfo application through OIDC authentication.

User Authentication with OIDC Sequence Chart

  • User access request: The user attempts to access the Bookinfo application through a configured OIDC-enabled gateway.
  • Redirect to Identity Provider (IDP): If the user is not authenticated, the gateway redirects the user to the IDP login page.
  • User authentication: The user completes the login process on the IDP's page.
  • Obtain authentication token: Upon successful authentication, the IDP issues an authentication token to the user.
  • Redirect back to the gateway: The user returns to the gateway with the authentication token.
  • Gateway token validation: The gateway validates the token's validity and determines the user's access permissions.
  • Grant access: Once validation is successful, the gateway allows the user to access the Bookinfo application.

Step 1: Create OIDC Client Secret

Create a Kubernetes secret containing the OIDC client credentials. The gateway will use this secret to authenticate with the Identity Provider.

Gateway Namespace

The OIDC secret should be created in the same namespace as your gateway. In this example, the gateway is deployed in the bookinfo namespace as per the quickstart guide.

apiVersion: v1
kind: Secret
name: oidc-secret
namespace: bookinfo
istio_generic_secret: <base64-encoded-client-secret>
type: Opaque

Step 2: Add OIDC Configuration to the Gateway

Next, add the OIDC configuration to the gateway. This includes the Identity provider OIDC URLs, client ID, and the client secret stored as a Kubernetes secret created in the previous step.

Provider URLs

These URLs are provided by your Identity provider. Refer to your Identity provider OIDC documentation for more details.

kind: Gateway
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
namespace: bookinfo
app: tsb-gateway-bookinfo
- name: bookinfo
port: 8443
mode: SIMPLE
secretName: bookinfo-certs
clientId: <oidc-client-name>
clientTokenSecret: oidc-secret
- route:
host: 'bookinfo/productpage.bookinfo.svc.cluster.local'

For more details on the OIDC configuration, refer to OIDCConfig.

Step 3: Verify OIDC Authentication

Finally, access the Bookinfo application through the gateway hostname You should be redirected to the Identity provider's login page. Upon successful authentication, you will be redirected back to the Bookinfo application, confirming the successful integration of OIDC authentication with your TSB deployment.