Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Gloo Platform / 18 Jul 2023
solo.io / Gloo Platform / 18 Jul 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Securing Application Communication with OIDC Workflow and Gloo Mesh | Step-by-Step Guide

Description

In this tutorial, we'll walk you through the process of securing the communication to your applications using an OIDC workflow with Gloo Mesh and Keycloak. Whether you're a developer or an IT professional, implementing this workflow will enhance your application's security and ensure only authorized users gain access.

First, we deploy Keycloak as our Identity Provider (IDP) in the cluster. Don't worry if you already have your IDP deployed elsewhere; this guide is adaptable to various IDPs that support OIDC workflows. We'll create two users, "userone@example.com" and "usertwo@solo.io," setting the stage for authorization rules later in the workshop.

Once Keycloak is up and running, we'll configure it to handle user authentication, allowing you to obtain a token from Keycloak as an admin. This token will enable us to automatically create the necessary resources, including the users.

Next, we'll delve into the OIDC workflow by creating an OAuth secret that corresponds with the Keycloak secret. With this in place, we'll implement an extauth policy in Gloo, a powerful tool that applies to routes based on labels. This policy will redirect incoming requests to Keycloak for user authentication. Keycloak will generate an ID token (JOT token), which we'll store in Redis. Instead of storing the token in the user's browser as a cookie, we'll create a more secure approach, using Redis to store the JOT token and a session cookie in the user's browser. This ensures smoother authentication and avoids cookie size limitations.

With the OIDC workflow in place, we'll move on to configuring the extauth server, a vital component in this setup. You can choose to have multiple extauth servers for different teams, but for this demonstration, we'll use a single extauth server for the cluster. This setup allows the extauth server to retrieve the JOT token from Redis on behalf of the user.

Enhancing the security further, we'll use the Open Policy Agent (OPA) Library embedded in the extauth server. With OPA's regal language, we'll define authorization rules based on user email claims. The rules state that if the email claim ends with "@solo.io," the user is authorized; otherwise, access is denied.

After creating the config map to store the authorization rules, we'll update the extauth policies with the new rule, comprising two steps: user authentication and user authorization.

As we wrap up the tutorial, you'll witness the final implementation in action. When trying to access the application, you'll be redirected to Keycloak for authentication. We'll demonstrate successful authentication with user one and user two, showcasing how the authorization rules come into play. If your email matches the authorized domain, access is granted; otherwise, a 403 Forbidden response is generated.

With this comprehensive guide, you'll have a better understanding of securing your application's communication using OIDC workflows with Gloo and Keycloak. Stay tuned for more exciting content and best practices to enhance your application's security and performance. Don't forget to subscribe and hit the notification bell to stay up-to-date with our latest tutorials!

A

Now, let's secure the communication to our applications., the first thing we're going.

A

To do is implement an oidc workflow. for demo purposes, we're going to deploy keycloak in our.

A

Cluster,, but in your real environment you might already have your idp deployed somewhere else.

A

And this idp, you know it could be keycloak or really any idp. That supports your oidc workflow.

A

So after we deploy it, we're going to configure it so that we create two different users.

A

There's one for user, one at example.com and the second for user two at solo.io.. So these email.

A

Addresses will be important because we're going to put some authorization rules later in the workshop.

A

So, let's export these variables., so we know the url of the keycloak that we just deployed,.

A

And this url will correspond to the keycloak service...the service of load balancer. That.

A

We just deployed., so that's the external ip and now I can get the token from keycloak.

A

As an admin to be able to automatically create the resources that I need,, like the user.

A

So we've we have to create the user, but you also have to define some additional.

A

Things like the allowed redirect uri and some other things. if you're already familiar with.

A

Like oauth or something before, then you know these. These details.

A

So we're just setting up the oidc server basically.

A

So let's apply these... everything's created everything's working in keycloak,.

A

And now I can start configuring gloo to take advantage of it.. So first, what we'll need to.

A

Do is we'll take we'll make an oauth secret that corresponds with the keycloak secret.

A

So...

A

We'll create that here.

A

And now what we'll do is create an extauth policy., just like other policies in gloo you're going.

A

To apply it to routes based on labels,, so here you can see we're going to put the url of our.

A

Application that we already set,, but let's check this environment variable.. Let me just.

A

Verify that this environment variable is set correctly. just need to test it. Real quick...

A

Yep, okay, it's it set properly,. So that's the end point that I.

A

Used to access the http bin application.

A

And you can also see the client id for keycloak that we've created and the url, etc. so here. What.

A

We're saying is that we want to implement this oidc workflow and, as a request comes in to.

A

This workflow, the user, will be redirected to keycloak to authenticate themselves, and after,. It will.

A

Generate a jot token that we'll call an id token and by default this token is stored in the.

A

Browser of the user as a cookie, but it's not the best practice because sometimes just doesn't work.

A

Because the cookie can be too big compared to the maximum cookie size allowed in the browser.

A

So here what we're going to do is we want to store this jot token in redis...

A

So the jot token will be stored in redis and we'll create a session cookie. That will be.

A

Stored in the browser of the user., so now, when the user sends a request with this.

A

Cookie session,, the platform will know to retrieve the the real jot token from redis.

A

So this is the best practice to configure it. This way.

A

So once we have it configured,, we just need to configure the extauth server.

A

You could have multiple extauth servers in your stack.... You know maybe one for different teams,.

A

But most people just use a single extauth server for the cluster and you can see that as part of gloo.

A

Mesh add-ons we've had the extauth server deployed here.. So finally, we'll just update my route table.

A

So that I have this label oauth = to true- and I also have this slash callback.

A

Prefix, because that's where keycloak is going to redirect the user after they've authenticated.

A

So now the extauth server can retrieve the the jot token on behalf of the.

A

User, so after you configure all this, now we should be good to to go to the end point.

A

And refresh the page.

A

And now you can see, I can't access the application directly.. I need to authenticate.

A

Myself, so it it redirected me to keycloak.. I will log in with user one, for example.

A

If you remember this, user's email was userone@example.com,, so now, when I access, it, I can see.

A

The the jot token, it's also retrieved from redis and added to the request.

A

So now the backend server..., whatever I'm trying to access,, can access this jot token. If it needs to,.

A

And in another video we'll even see where we can extract some value. From this token, automatically.

A

This extauth server also embeds an opa library, opa, meaning open policy agent library,, where in opa.

A

You can create a regal language. in regal language,. You can define some additional authorization, rules,.

A

So here we have some authorization roles using regal and we're going to store it as a config.

A

Map., what we're doing here is we want to decode the jot token,. We want to look at the email, claim, and.

A

If it ends in @solo.io,, then it's going to be authorized,. Otherwise it's going to be rejected.

A

So let's create the config map and after that I can update my extauth.

A

Policies to have this now two steps. one was to authenticate in the user and the.

A

Second, one is to authorizing the user using this, this new rule that I just created.

A

So let's do that here, and now, if I go back and try to access the page,.

A

You can see I'm now, I'm getting a 403,, because now I'm not allowed to access it.

A

And the reason why I'm not able to access is because my email ended.

A

In @example.com not solo.io., we could also go and open a new window and then.

A

Just authenticate with the second user user two,, which, if you remember.

A

Was @solo.io and I can now access the page, because this user is now authorized.