5 minutes with Gloo — OIDC
Configuring Gloo and Envoy to use OIDC (OpenID Connect)
In this series of Blogs titled ‘5 minutes with Gloo’, we’ll introduce some of the Gloo and Gloo Enterprise functionality in a summarized form. It should only take you 5 minutes to understand the feature we’re presenting, and if you’re willing to try it yourself, it will undoubtedly be worth the extra time.
For this first post, we will explain how you can integrate Gloo with OIDC (OpenID Connect). It’s fair to say that the primary objective of OIDC is to verify the identity of a user. This feature is available on the Enterprise version of Gloo and you can request your free trial now.
Gloo and OIDC
For Gloo to perform the actions needed by OIDC, we deploy the external auth microservice which will communicate with Envoy using an external authorization filter. To clarify an important point, Envoy itself does not provide an OIDC filter, but rather an API (HTTP or gRPC). We at Solo.io implemented an OIDC capability for Envoy.
In a very simplistic manner, a request would flow like this:
You can check our blog on ‘Building a Control Plane for Envoy’ for more details on how envoy filters work.
There are three steps needed:
1 — Create OAuth tokens on your preferred provider.
Google and Okta are examples of popular services. Once you have done that, save those tokens in environment variables. That will be useful later.
2 — Create a kubernetes secret with your auth secret.
You can use the glooctl command line for that.
glooctl create secret --namespace gloo-system --name google oauth --client-secret $CLIENT_SECRET
3 — Create and configure a virtual service to use your OAuth tokens
glooctl create virtualservice --namespace gloo-system --name default --enable-oidc-auth \ --oidc-auth-client-secret-name google \ --oidc-auth-client-secret-namespace gloo-system \ --oidc-auth-issuer-url https://accounts.google.com \ --oidc-auth-client-id $CLIENT_ID \ --oidc-auth-app-url http://localhost:8080/ \ --oidc-auth-callback-path /callback
Note that we’re using Google as the issuer, so you need to change the ‘issuer-url’ to reflect your chosen method.
And that’s it. Access to http://localhost:8080 will now be authenticated using OIDC, Gloo, and Envoy.
For more details, check our documentation.