Skip to main content
logoTetrate Service BridgeVersion: next

User Authentication with OIDC

This guide provides step-by-step instructions on integrating OIDC (OpenID Connect) authentication with Tetrate Service Bridge (TSB) for user authentication. We will illustrate this process using the Bookinfo application deployed on TSB as a practical example. This scenario will help you understand how to configure OIDC with TSB and ensure secure user access to applications managed by TSB.

Prerequisites

Before you begin, ensure you have:

Authorization Code

Currently, TSB only supports the authorization code flow for OIDC.

OIDC Authentication Code Flow

The following sequence chart describes the steps for a user to access the Bookinfo application through OIDC authentication.

User Authentication with OIDC Sequence Chart

  • User access request: The user attempts to access the Bookinfo application through a configured OIDC-enabled gateway.
  • Redirect to Identity Provider (IDP): If the user is not authenticated, the gateway redirects the user to the IDP login page.
  • User authentication: The user completes the login process on the IDP's page.
  • Obtain authentication token: Upon successful authentication, the IDP issues an authentication token to the user.
  • Redirect back to the gateway: The user returns to the gateway with the authentication token.
  • Gateway token validation: The gateway validates the token's validity and determines the user's access permissions.
  • Grant access: Once validation is successful, the gateway allows the user to access the Bookinfo application.

Step 1: Create OIDC Client Secret

Create a Kubernetes secret containing the OIDC client credentials. The gateway will use this secret to authenticate with the Identity Provider.

Gateway Namespace

The OIDC secret should be created in the same namespace as your gateway. In this example, the gateway is deployed in the bookinfo namespace as per the quickstart guide.

apiVersion: v1
kind: Secret
metadata:
name: oidc-secret
namespace: bookinfo
data:
istio_generic_secret: <base64-encoded-client-secret>
type: Opaque

Step 2: Add OIDC Configuration to the Gateway

Next, add the OIDC configuration to the gateway. This includes the Identity provider OIDC URLs, client ID, and the client secret stored as a Kubernetes secret created in the previous step.

Provider URLs

These URLs are provided by your Identity provider. Refer to your Identity provider OIDC documentation for more details.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 8443
hostname: bookinfo.tetrate.com
tls:
mode: SIMPLE
secretName: bookinfo-certs
authentication:
oidc:
clientId: <oidc-client-name>
clientTokenSecret: oidc-secret
redirectUri: https://bookinfo.tetrate.com/bearer
provider:
issuer: https://oidc.example.com/issuer
authorizationEndpoint: https://oidc.example.com/auth
tokenEndpoint: https://oidc.example.com/token
jwksUri: https://oidc.example.com/jwks
routing:
rules:
- route:
serviceDestination:
host: 'bookinfo/productpage.bookinfo.svc.cluster.local'
TLS Configuration

If your OIDC provider requires a specific TLS configuration, you can add the tls field to the OIDC configuration. If not specified, TSB uses the system default CA certificates for TLS verification.

      authentication:
oidc:
clientId: <oidc-client-name>
clientTokenSecret: oidc-secret
redirectUri: https://bookinfo.tetrate.com/bearer
provider:
issuer: https://oidc.example.com/issuer
authorizationEndpoint: https://oidc.example.com/auth
tokenEndpoint: https://oidc.example.com/token
jwksUri: https://oidc.example.com/jwks
tls:
mode: SIMPLE
secretName: oidc-tls-secret

For more details on the OIDC configuration, refer to OIDCConfig and OIDCProviderConfig in the TSB API reference.

Step 3: Verify OIDC Authentication

Finally, access the Bookinfo application through the gateway hostname https://bookinfo.tetrate.com. You should be redirected to the Identity provider's login page. Upon successful authentication, you will be redirected back to the Bookinfo application, confirming the successful integration of OIDC authentication with your TSB deployment.