user doc for oidc

Signed-off-by: huabing zhao <[email protected]>
envoyproxy · Nov 30, 2023 · 78737af · 78737af
1 parent 0add22b
commit 78737af
Showing 1 changed file with 104 additions and 0 deletions.
diff --git a/site/content/en/latest/user/oidc.md b/site/content/en/latest/user/oidc.md
@@ -0,0 +1,104 @@
+---
+title: "OIDC Authentication"
+---
+
+This guide provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication.
+OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. 
+It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) 
+to verify the identity of a user.
+
+Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure OIDC 
+authentication. 
+This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute][HTTPRoute] resource.
+
+## Prerequisites
+
+Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+## Configuration
+
+This guide uses Google as the OIDC provider to demonstrate the configuration of OID. However, EG works with use any OIDC
+provider that supports the [Authorization Code Flow][oidc-auth-code-flow].
+
+### Register an OIDC application
+
+Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. After registering the
+application, you should have the following information:
+* Client ID: The client ID of the OIDC application.
+* Client Secret: The client secret of the OIDC application.
+
+### Create a kubernetes secret
+
+Next, create a kubernetes secret with the Client Secret created in the previous step. The secret is an Opaque secret,
+and the Client Secret must be stored in the key "client-secret".
+
+Note: please replace the ${CLIENT_SECRET} with the actual Client Secret that you got from the previous step.
+
+```shell
+$ kubectl create secret generic my-app-client-secret --from-literal=client-secret=${CLIENT_SECRET}
+secret "my-app-client-secret" created
+```
+
+### Create a SecurityPolicy
+
+Note: please replace the ${CLIENT_ID} with the actual Client ID that you got from the previous step.
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: oidc-example
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: backend
+  oidc:
+    provider:
+      issuer: "https://accounts.google.com"
+    clientID: "${CLIENT_ID}.apps.googleusercontent.com"
+    clientSecret:
+      name: "my-app-client-secret"
+EOF
+```
+
+Verify the SecurityPolicy configuration:
+
+```shell
+kubectl get securitypolicy/oidc-example -o yaml
+```
+
+## Testing
+
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../quickstart) guide is set. If not, follow the
+Quickstart instructions to set the variable.
+
+```shell
+echo $GATEWAY_HOST
+```
+
+Open a browser and navigate to the `GATEWAY_HOST` address. You should be redirected to the Google login page. After you
+successfully login, you should see the response from the backend service.
+
+## Clean-Up
+
+Follow the steps from the [Quickstart](../quickstart) guide to uninstall Envoy Gateway and the example manifest.
+
+Delete the SecurityPolicy and the secret
+
+```shell
+kubectl delete securitypolicy/oidc-example
+kubectl delete secret/my-app-client-secret
+```
+
+## Next Steps
+
+Checkout the [Developer Guide](../../contributions/develop/) to get involved in the project.
+
+[oidc] https://openid.net/connect/
+[google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect
+[SecurityPolicy]: ../../design/security-policy/
+[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute