5 minutes with Gloo — OIDC

Solo.io | March 15, 2019

Configuring Gloo and Envoy to use OIDC (OpenID Connect)

In this series of Blogs titled ‘5 minutes with Gloo’, we’ll introduce some of the Gloo and Gloo Enterprise functionality in a summarized form. It should only take you 5 minutes to understand the feature we’re presenting, and if you’re willing to try it yourself, it will undoubtedly be worth the extra time.

For this first post, we will explain how you can integrate Gloo with OIDC (OpenID Connect). It’s fair to say that the primary objective of OIDC is to verify the identity of a user. This feature is available on the Enterprise version of Gloo and you can request your free trial now.

Gloo and OIDC

For Gloo to perform the actions needed by OIDC, we deploy the external auth microservice which will communicate with Envoy using an external authorization filter. To clarify an important point, Envoy itself does not provide an OIDC filter, but rather an API (HTTP or gRPC). 

In a very simplistic manner, a request would flow like this:

You can check our blog on ‘Building a Control Plane for Envoy’ for more details on how envoy filters work.

There are three steps needed:

1 — Create OAuth tokens on your preferred provider.

Google and Okta are examples of popular services. Once you have done that, save those tokens in environment variables. That will be useful later.

CLIENT_ID=825…imq.apps.googleusercontent.com
CLIENT_SECRET=CCh…lmT

2 — Create a kubernetes secret with your auth secret.

You can use the glooctl command line for that.

glooctl create secret --namespace gloo-system --name google oauth --client-secret 
$CLIENT_SECRET

3 — Create and configure a virtual service to use your OAuth tokens

glooctl create virtualservice --namespace gloo-system --name default --enable-oidc-auth \
--oidc-auth-client-secret-name google \
--oidc-auth-client-secret-namespace gloo-system \
--oidc-auth-issuer-url https://accounts.google.com \
--oidc-auth-client-id  \
--oidc-auth-app-url http://localhost:8080/ \
--oidc-auth-callback-path /callback

Note that we’re using Google as the issuer, so you need to change the ‘issuer-url’ to reflect your chosen method.

And that’s it. Access to http://localhost:8080 will now be authenticated using OIDC, Gloo, and Envoy.

For more details, check our documentation.

About the Author
Darkgray Glooey Logomark V1.1 Solo.io
Solo.io connects the world’s applications with APIs and Service Mesh across any infrastructure to ease the journey to cloud native architecture
Additional Resources
post
The Battle of Titans: Apigee vs. Gloo Gateway

April 15, 2024

Read the Article
post
Solo.io: The New Nexus of Istio Expertise and Innovation

April 10, 2024

Read the Article
post
Unleash the Power of Cloud-Native API Management

April 09, 2024

Read the Article
post
Solo Academy Relaunches With All-New Courses

April 08, 2024

Read the Article