ivanjosipovic / oidc-guard Goto Github PK

View Code? Open in Web Editor NEW

13.0 1.0 0.0 403 KB

OpenID Connect (OIDC) & OAuth 2 API Server used to secure Kubernetes Ingress

License: MIT License

Smarty 1.42% C# 96.58% Dockerfile 2.00%

cookie ingress ingress-nginx jwt jwt-validation kubernetes nginx api webapp oauth2

oidc-guard's Introduction

OpenID Connect (OIDC) & OAuth 2 API Server used to secure Kubernetes Ingress

What is this?

This project is an API server which is used along with Ingress Controllers that support External Authentication and enables per Ingress customizable JWT validation with Cookie support for Web Applications.

Ingress Controller	JWT	Cookie
Nginx Ingress	X	X
Traefik	X	X

Features

Per Ingress JWT Validation
- A single instance of oidc-guard can protect a whole cluster with configurable rules per Ingress
Cookie Auth for Web Applications
- Returns an encrypted cookie which will be stored in the browser and sent on subsequent requests to pass through AuthN/AuthZ
JWT Auth for APIs
- Requests with a Bearer token in the Authorization header will be validated
- Supports loading JSON Web Key Set (JWKS) from Url
- Supports custom Authorization header
AMD64 and ARM64 support

Documentation

Go to Wiki

oidc-guard's People

Contributors

Stargazers

Watchers

oidc-guard's Issues

[Q&A] Is it possible to specify multiple issueer

I want my API to support selected auth providers. Is there a way oidc-guard can support this feature?

Support By-pass URL

The OIDC-Guard is amazing to enable jwt verification for ingress. It's working perfectly. However, I think it is very important to add a feature that allow by-pass URI or suffix. E.g. static files for web application should not be protected by jwt.

Question: Use of skip auth

I was wondering what the use case for using the skip auth query parameters on the auth endpoint. At service level it looks scary 👻. As I understand it, this would have to be set by the ingress controller when it makes a call to the auth endpoint. I have not been able to find any documentation on how the ingress controller would make use of this parameter. I was hoping you could shed some light on it for me.

JWT: Append Bearer if missing

Add option to append "Bearer " to the JWT token if its missing.

Renovate Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): update dependency jsonpath.net to v0.6.5

Detected dependencies

dockerfile

src/oidc-guard/Dockerfile

mcr.microsoft.com/dotnet/sdk 7.0-alpine@sha256:e3b051cbad561cec1b1ce3586aaf1279aeda72c2416f41c909d293cddf21c011

mcr.microsoft.com/dotnet/runtime-deps 7.0-alpine@sha256:e86ce2bf9b77a93075dbe03bc5a3ba4eeae93bdfc5415a9354c22ed3504d46a8

github-actions

.github/workflows/cicd.yml

actions/checkout v3

actions/setup-dotnet v3

docker/setup-buildx-action v2

codecov/codecov-action v3

actions/checkout v3

cycjimmy/semantic-release-action v3

docker/setup-buildx-action v2

azure/setup-helm v3

helm/chart-releaser-action v1

nuget

benchmarks/oidc-guard-benchmarks/oidc-guard-benchmarks.csproj

BenchmarkDotNet 0.13.7

global.json

dotnet-sdk 7.0.400

src/oidc-guard/oidc-guard.csproj

System.Private.Uri 4.3.2

prometheus-net.AspNetCore 8.0.1

Microsoft.IdentityModel.Protocols.OpenIdConnect 6.32.2

Microsoft.AspNetCore.Authentication.OpenIdConnect 7.0.10

Microsoft.AspNetCore.Authentication.JwtBearer 7.0.10

JsonPath.Net 0.6.4

tests/oidc-guard-tests/oidc-guard-tests.csproj

Microsoft.AspNetCore.TestHost 7.0.10

xunit.runner.visualstudio 2.5.0

xunit 2.5.0

Moq 4.20.69

Microsoft.NET.Test.Sdk 17.7.2

Microsoft.AspNetCore.Mvc.Testing 7.0.10

FluentAssertions 6.12.0

coverlet.collector 6.0.0

Check this box to trigger a request for Renovate to run again on this repository

oidc-guard fails to start on Apple Silicon M1

Hello, I wanted to test OIDC-Guard locally on my docker-desktop cluster via helm.

I ran into the following error, emitted by the Pod logs:

rosetta error: failed to open elf at /lib64/ld-linux-x86-64.so.2

Any idea what is going on and how to mitigate this?

jwks_uri

Instead of using the auto discovery url OpenIdProviderConfigurationUrl , can we use jwks_uri directly? eg: jwks_uri=https://login.microsoftonline.com/common/discovery/v2.0/keys ?

This is followup to #27 where Google IAP only provides jwks URL https://www.gstatic.com/iap/verify/public_key-jwk

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

dockerfile

src/oidc-guard/Dockerfile

mcr.microsoft.com/dotnet/sdk 8.0-alpine@sha256:b27d134246ce9dab1ee4ec87254df381cec87caace66b6af764c0821a444c641

mcr.microsoft.com/dotnet/runtime-deps 8.0-alpine@sha256:47397ca36eaf0c2e417f6a1bc4ed9d9caf552d5fe9c88eadbcc06dc541e73dbd

github-actions

.github/workflows/cicd.yml

actions/checkout v4

actions/setup-dotnet v4

docker/setup-buildx-action v3

codecov/codecov-action v4

actions/checkout v4

cycjimmy/semantic-release-action v4

docker/setup-buildx-action v3

azure/setup-helm v4

helm/chart-releaser-action v1

nuget

benchmarks/oidc-guard-benchmarks/oidc-guard-benchmarks.csproj

BenchmarkDotNet 0.13.12

global.json

dotnet-sdk 8.0.302

src/oidc-guard/oidc-guard.csproj

System.Text.Json 8.0.3

OpenTelemetry.Instrumentation.Runtime 1.9.0

OpenTelemetry.Instrumentation.EventCounters 1.5.1-alpha.1

OpenTelemetry.Instrumentation.AspNetCore 1.9.0

OpenTelemetry.Extensions.Hosting 1.9.0

OpenTelemetry.Exporter.Prometheus.AspNetCore 1.7.0-rc.1

Microsoft.IdentityModel.Protocols.OpenIdConnect 7.6.2

Microsoft.AspNetCore.Authentication.OpenIdConnect 8.0.6

Microsoft.AspNetCore.Authentication.JwtBearer 8.0.6

JsonPath.Net 1.1.1

tests/oidc-guard-tests/oidc-guard-tests.csproj

Microsoft.AspNetCore.TestHost 8.0.6

xunit.runner.visualstudio 2.8.1

SharpCompress 0.37.2

xunit 2.8.1

Moq 4.20.70

Microsoft.Playwright 1.44.0

Microsoft.NET.Test.Sdk 17.10.0

Microsoft.AspNetCore.Mvc.Testing 8.0.6

FluentAssertions 6.12.0

KubernetesClient 14.0.2

IdentityModel.OidcClient 6.0.0

Ductus.FluentDocker 2.10.59

coverlet.collector 6.0.2

CliWrap 3.6.6

regex

src/oidc-guard/Dockerfile

alpine_3_19/ca-certificates-bundle 20240226-r0

alpine_3_19/busybox 1.36.1-r19

alpine_3_19/busybox-binsh 1.36.1-r19

alpine_3_19/libc-utils 0.7.2-r5

alpine_3_19/libcrypto3 3.1.5-r0

alpine_3_19/ssl_client 1.36.1-r19

alpine_3_19/libgcc 13.2.1_git20231014-r0

alpine_3_19/libssl3 3.1.5-r0

alpine_3_19/libstdc++ 13.2.1_git20231014-r0

alpine_3_19/zlib 1.3.1-r0

Check this box to trigger a request for Renovate to run again on this repository

Inject JSON claims as headers

Google IAP can embedded additional information in the jwt header. If I need to inject a header from the claim nested in gcip.sign_in_attributes.group from this example, how do I do it? Can we do flexible things using JMESPath to get what we want from the jwt?

custom jwt token header name

When the request comes in via the Google Identity Aware Proxy (IAP), the IAP adds the jwt token using the header name x-goog-iap-jwt-assertion. Does OIDC-Guard support reading the jwt token from a custom header instead of the default Authorization header?

ivanjosipovic / oidc-guard Goto Github PK

oidc-guard's Introduction

What is this?

Features

Documentation

oidc-guard's People

Contributors

Stargazers

Watchers

oidc-guard's Issues

Open

Detected dependencies

Detected dependencies

Recommend Projects

Recommend Topics

Recommend Org