Skip to content

Commit

Permalink
update doc
Browse files Browse the repository at this point in the history
Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
zhaohuabing committed Aug 27, 2024
1 parent a5bdc9b commit a7f0b27
Show file tree
Hide file tree
Showing 8 changed files with 33 additions and 11 deletions.
3 changes: 2 additions & 1 deletion api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ type OIDC struct {
// If set, the cookies will be set on the specified domain and all subdomains.
// This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
// +optional
// +kubebuilder:validation:Pattern=`^[a-z0-9.]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
// +notImplementedHide
// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
CookieDomain *string `json:"cookieDomain,omitempty"`

// The OIDC scopes to be used in the
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2055,7 +2055,7 @@ spec:
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
pattern: ^[a-z0-9.]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
type: string
cookieNames:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -132,4 +132,4 @@ securityPolicies:
defaultTokenTTL: 1h
refreshToken: true
defaultRefreshTokenTTL: 48h
cookieDomain: ".example.com"
cookieDomain: "example.com"
2 changes: 1 addition & 1 deletion internal/xds/translator/testdata/in/xds-ir/oidc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,4 @@ http:
cookieNameOverrides:
idToken: "CustomIdTokenOverride"
accessToken: "CustomAccessTokenOverride"
cookieDomain: ".example.com"
cookieDomain: "example.com"
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth
credentials:
clientId: client.oauth.bar.com
cookieDomain: .example.com
cookieDomain: example.com
cookieNames:
bearerToken: CustomAccessTokenOverride
idToken: CustomIdTokenOverride
Expand Down
1 change: 0 additions & 1 deletion site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -2478,7 +2478,6 @@ _Appears in:_
| `clientID` | _string_ | true | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br /><br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses a randomly generated suffix |
| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.<br />If not set, the cookies will default to the host of the request, not including the subdomains.<br />If set, the cookies will be set on the specified domain and all subdomains.<br />This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
| `scopes` | _string array_ | false | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
Expand Down
31 changes: 27 additions & 4 deletions site/content/en/latest/tasks/security/oidc.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA,

Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. Please make sure the
redirect URL is set to the one you configured in the SecurityPolicy that you will create in the step below. In this example,
the redirect URL is `http://www.example.com:8443/myapp/oauth2/callback`.
the redirect URL is `https://www.example.com:8443/myapp/oauth2/callback`.

After registering the application, you should have the following information:
* Client ID: The client ID of the OIDC application.
Expand Down Expand Up @@ -221,7 +221,7 @@ If you haven't registered an OIDC application, follow the steps in the previous

If you haven't created a kubernetes secret, follow the steps in the previous section to create a kubernetes secret.

### Create another HTTPRoute
### Create an HTTPRoute with a different subdomain

Let's create another HTTPRoute in the same Gateway, but with a different subdomain.

Expand Down Expand Up @@ -355,17 +355,40 @@ Verify the SecurityPolicy configuration:
kubectl get securitypolicy/oidc-example -o yaml
```

### Update the Listener TLS certificate to support multiple subdomains

Create a multi-domain wildcard certificate for `*.example.com`.

```shell
openssl req -out wildcard.csr -newkey rsa:2048 -nodes -keyout wildcard.key -subj "/CN=*.example.com/O=example organization"
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in wildcard.csr -out wildcard.crt
```

Replace the TLS certificate of the Gateway with the wildcard certificate.

```shell
kubectl delete secret example-cert
kubectl create secret tls example-cert --key=wildcard.key --cert=wildcard.crt
```

### Testing

If you haven't done so, follow the steps in the previous section to port forward gateway port to localhost and put
www.example.com in the /etc/hosts file in your test machine.

Also, put foo.example.com in the /etc/hosts file in your test machine.

```shell
...
127.0.0.1 foo.example.com
```

Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google
login page. After you successfully login, you should see the response from the backend service.

You can also try to access `https://foo.example.com:8443` and `https://www.example.com:8443/bar` addresses. You should
be able to see the response from the backend service since these HTTPRoutes are protected by the same OIDC policy and
the ID token cookie is shared across subdomains.
be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config,
and the ID token cookie is shared across subdomains.

## Clean-Up

Expand Down
1 change: 0 additions & 1 deletion site/content/zh/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -2478,7 +2478,6 @@ _Appears in:_
| `clientID` | _string_ | true | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br /><br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses a randomly generated suffix |
| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.<br />If not set, the cookies will default to the host of the request, not including the subdomains.<br />If set, the cookies will be set on the specified domain and all subdomains.<br />This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. |
| `scopes` | _string array_ | false | The OIDC scopes to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />The "openid" scope is always added to the list of scopes if not already<br />specified. |
| `resources` | _string array_ | false | The OIDC resources to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
Expand Down

0 comments on commit a7f0b27

Please sign in to comment.