Skip to content

Microservice Gateway Authentication Server - Integrating OIDC Authentication

The Microservice Engine Gateway's OIDC authentication service demo consists of two parts.

  1. Authentication service, code repository: https://github.com/projectsesame/contour-authserver
  2. Identity Provider (referred to as IDP), code repository: https://github.com/projectsesame/dex

Deploy the ldp service by deploying it in a Kubernetes cluster according to the contents of the dex-all-in-one.yaml file. The DEX_ISSUER environment variable should point to the nodeport or load balancer address of the ldp service + /dex. This service must be exposed for external access. The DEX_STATIC_CLIENT_REDIRECT_URI environment variable should list the allowed client redirect URIs in the format http(s)://+domain+port+redirectPath, where the path is the redirectPath of the authentication service that will be deployed later. Other environment variables are not recommended to be modified. If you wish to experiment, you can refer to the config.docker.yaml file for modifications and rebuild the image. After successful deployment, you can start deploying the authentication service. Deploy it in a Kubernetes cluster according to the contents of the auth-oidc-all-in-one.yaml file. Some parts of the content in the configMap need to be configured according to your own environment. Here are the meanings of each configuration item:

Parameter Name Parameter Type Parameter Meaning Parameter Example Note
address string Address where the service is provided :10083 Indicates that the service can be accessed through port 10083 from any address. The port should match the service port
issuerURL string Identity Provider http://10.6.222.22:30051/dex Fill in the address of the IDP service nodePort or loadBalancer + /dex. In the example, it is accessed via nodePort
clientID string Client ID example-app Client ID and secret for the example application are hardcoded
clientSecret string Client Secret ZXhhbXBsZS1hcHAtc2VjcmV0
scopes []string Access scopes openid, profile, email, offline_access
redirectURL string Redirect callback URL https://yangyang.daocloud.io:30443 Example is https://+domain+https port
redirectPath string Redirect path /oauth2/callback The gateway API configuration should include this path in the authentication path

The above configuration items in this demo are issuerURL and redirectURL. These two should be modified according to the deployment environment, and other parameters are not recommended to be changed! The following documentation will explain using the example configurations mentioned above.

Once both services are successfully deployed, you can proceed with the configuration through the Microservice Engine web interface. Here are the configuration steps:

  1. Create a Plugin

  2. Select the gateway, create a domain, and select the security authentication plugin created in the first step

  3. Create an API and select the newly created domain

  4. After successfully creating the API, access it through a browser

    Access https://yangyang.daocloud.io:30443/

    Since we have configured the domain for authentication, the page will redirect to the ldp service's login page. The right image shows the redirection process. In the example code, the username is: admin@example.com, and the password is: password.

    After logging in, an authorization page will be displayed. Click Grant Access

    After a few redirects, you should be able to access the backend API successfully:

With this, the complete logic of implementing OIDC authentication using the Microservice Engine has been completed.

Comments