This might be covered by the definition of #9...
The implementation of this is likely a third party authentication service that integrates with Ambassador. The folks at Google suggested we take a look at https://github.com/coreos/dex as the basis for implementation.
Per @liqweed:
We're using Keycloak as the IDP. Ideally, the API gateway would support an OIDC relying party implementation.
An OIDC relying party implementation implies maintaining state (for refresh tokens etc) but would be a lot more efficient than hopping to another service for each request.
It would also augment the request headers with the authenticated claims for the microservices to use.
don't mean to impose, just curious about the roadmap. If the project I'm in charge of goes that path I may be able to contribute.
@sivabudh You had expressed interest in contributing on this issue. If you are investigating this, feel free to post any thoughts/questions/information in this issue.
Any update on this?
No real update. There was some community interest, but it seems that most folks who are doing this are writing their own and not necessarily open sourcing it. If anyone wants to write an OSS version, we'd be happy to help. (It's on our roadmap!)
Also oauth2_proxy seems not maintained https://github.com/bitly/oauth2_proxy/issues/594
On my part I can unfortunately update that we ended up using our existing Apache as a gateway for the time being. The effort it would have taken us to migrate our existing Apache configuration - OIDC for most routes, basic authentication for some routes, client certificate on specific request conditions, CSRF protection on some routes and more - could have put the project in considerable risk. We still intend to use Ambassador internally to configure dynamic routes to the newer parts of our architecture, but behind Apache's authentication. Hopefully not for very long.
I see the value in an API gateway support for flexible authentication schemes configuration more than ever. Once we do invest in moving away from Apache, I'll do my best to contribute in this area.
I've been working with this as we have a separate identity service in our product and would love to use Ambassador in front of our microservices. Currently the login works with OpenID Connect Authorization Code flow, and is only a Dockerfile away from being usable as Ambassador AuthService.
Current version (ajmyyra/ambassador-auth-oidc) is written in Go and is under my own account, but I can donate it to the Ambassador project if anyone else is interested in contributing. I don't consider the current version ready yet, but will be working on it in the coming days/weeks to enable better security and to add tests to the project.
If there's interest in having this as a separate part of Ambassador, or if anyone's interested in contributing, please let me know.
@ajmyyra Thanks! It seems what we need is a plug-in type system where people can write their own plug-ins for authentication and rate limiting (and others, as we add more APIs to Ambassador). We don't have this yet. I took a quick look at your repo and I wasn't entirely clear how it was supposed to work. Are you assuming that the user has an OIDC/OAuth server like Auth0 or Hydra running, and this integrates with that server?
Yup, OAUTH/OIDC requires an external identity endpoint where user can login and their identity is transferred back to the platform. As identity is injected into requests, backend services can then get user's identity and make more fine-grained authorization.
I'll have more time to work on this next week. Then I can document my work a bit better so it can actually be used.
@ajmyyra are you on our Slack (https://d6e.co/slack)? It would be great to chat live there.
Status update on this. Version 1.0 is now done, in Dockerhub and yaml's for Kubernetes are available for anyone willing to test.
Not on Datawire Slack yet, guess I should join. :)
@ajmyyra Would like to test it. Where can I find the code and instructions?
@vijaykumark: Repository with instructions can be found from https://github.com/ajmyyra/ambassador-auth-oidc . Please let me know if something is unclear or doesn't work the way you expect it to.
@ajmyyra Thanks! Will check it.
I am testing with Keycloak as the OIDC provider.
Adding the Keycloak URL to OIDC_PROVIDER results in below errror"
2018/10/02 08:08:15 OIDC provider setup failed: 404 Not Found: <html><head><title>Error</title></head><body>404 - Not Found</body></html>
Which URL should be given when using Keycloak? Is it token URL? Introspect URL? or OpenID configuration URL?
/auth/realms/{realm}/.well-known/openid-configuration ?
/auth/realms/{realm}/protocol/openid-connect/token/introspect ?
OIDC_PROVIDER should be http://keycloakhost:keycloakport/auth/realms/{realm}/ . Software makes a request for .well-known/openid-configuration and discovers other endpoints from there.
Deployed the auth-deployment and auth-service examples mentioned in your documentation.
Using httpbin example as the application. So setting the SELF URL to httpbin example URL http://<Ambassador URL>/httpbin.
Now the redirection is happening to below URL after authenticating at the keycloak login page:
http://<Ambassador URL>/httpbin/login/oidc?state=moEa&session_state=3c6b...&code=...
and the firefox error message:
The page isn鈥檛 redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
Did I configure it correctly? Should there anything added to the httpbin service?
Why is ambassador auth redirecting to <SELF SIGN URL>/login/oidc?state=moEa&session_state=3c6b...&code=... after keycloak authentication?
After a brief chat with @ajmyyra , setting SELF SIGN URL to http://<Ambassador URL> instead of http://<Ambassador URL>/httpbin fixed the issue.
Ambassador OIDC authentication is working with the code from https://github.com/ajmyyra/ambassador-auth-oidc
Thanks @ajmyyra
Also made some improvements to Readme and fixed one possible issue that @vijaykumark found out (when there's / at the end of SELF_URL). Thank you for testing!
As to solving this issue, should we add a small section to reference/services/auth-service.md that lists this and other projects that provide the ExtAuth service functionality to Ambassador? Can make a PR of that if it is wanted. @richarddli?
I've been working on a much more dynamic forward auth server and am ready for some early testers if anyone is interested. It features:
I've implemented 6 plugins (so far) including oauth2, OpenID Connect, ldap, htpasswd, request param, and request header. In addition, the plugins can be put into a pipeline within a single configuration. For example you can enable both basic auth (via htpasswd or ldap) and allow for oauth2/openid to protect the same service.
@travisghansen I鈥檓 interested in giving it a try. We are currently evaluating Ambassador and authentication is the final piece of the puzzle. Let me know a good place to start.
@mr-smithers-excellent yeah I've got crude documentation in place but I've certainly got some gaps to fill. Easiest would be to hop over to the project issue tracker and just open a ticket explaining your environment a little bit and what you'd like to achieve. I'll point you to the appropriate doc resource and try to document whatever is left unclear as I answer your questions and guide you through the setup.
It'll be good to have someone try it out with ambassador as my testing has been focused on traefik and nginx. Thanks!
I have followed office ambassdor api GW document to set it up on my local ubuntu kube cluster.
i have used host network to reach the services inside the cluster. everything is working.
Now, i followed this instructions to set up Keycloak but now im not able to reach the services which were accessible previously.
i have installed Keycloak as docker container on kube cluster master node.
Pls help me to resolve if any config issue
Error from server (BadRequest): a container name must be specified for pod oidc-auth-74ff4877c6-skmhk, choose one of: [oidc-auth auth-redis]
root@k8s-master:~/ambassador-auth-oidc# kubectl get pods
NAME READY STATUS RESTARTS AGE
ambassador-6c9658f587-rs7t5 1/1 Running 0 176m
oidc-auth-74ff4877c6-skmhk 1/2 CrashLoopBackOff 5 3m57s
tour-6c45cf8f-87vdm 2/2 Running 0 176m
root@k8s-master:~/ambassador-auth-oidc# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ambassador-admin NodePort 10.104.155.138
ambassador-oidc-auth ClusterIP 10.104.235.227
kubernetes ClusterIP 10.96.0.1
oidc-auth ClusterIP 10.105.118.240
tour ClusterIP 10.105.184.132
Most helpful comment
I've been working with this as we have a separate identity service in our product and would love to use Ambassador in front of our microservices. Currently the login works with OpenID Connect Authorization Code flow, and is only a Dockerfile away from being usable as Ambassador AuthService.
Current version (ajmyyra/ambassador-auth-oidc) is written in Go and is under my own account, but I can donate it to the Ambassador project if anyone else is interested in contributing. I don't consider the current version ready yet, but will be working on it in the coming days/weeks to enable better security and to add tests to the project.
If there's interest in having this as a separate part of Ambassador, or if anyone's interested in contributing, please let me know.