Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the same OIDC configuration target multiple HTTPRoutes #3253

Open
zhaohuabing opened this issue Apr 23, 2024 · 3 comments
Open

Allow the same OIDC configuration target multiple HTTPRoutes #3253

zhaohuabing opened this issue Apr 23, 2024 · 3 comments
Assignees
@zhaohuabing
Labels
area/policy kind/enhancement New feature or request stale

Comments

@zhaohuabing
Copy link
Member

Initially raised by @sadovnikov in #2913. Spit it out since it's another issue.

The biggest inconvenience for us is the need to register in IDP additional allowed redirect URIs for every new service deployment, which can happen even from a fix/feature branch. And, of course, the cleaning up IDP upon removal of the temporary deployments.

Attaching OIDC security policies to Gateways (all HTTP Routes of the gateway) will lead to finding a way to detach them from HTTP Routes, which do not require oauth2 authentication. These are "welcome" pages with invitations to log in. Other examples are health and metrics probes, covered or not by JWT security policies.

I tried a workaround with a fallBack HTTP route on / and a fallback security policy with the identical configuration of the OIDC issuer. It failed with "too many redirects" because, I think, the two filters used different cookies and hmac secrets.

Gateway
  HTTPRoute /myapp
  FallBackRoute /. (using service without any endpoints)

  SecurityPolicy 
    target:  HTTPRoute
    OIDC:
      issuer ...
      redirectURL  https://www.example.com/oauth2/callback     # without /myapp in the path
	  
  SecurityPolicy (fallback)
    target:  FallBackRoute
    OIDC:
      issuer ...
      redirectURL  https://www.example.com/oauth2/callback     # without /myapp in the path

Should OIDC configuration be extracted into a separate resource? Then, security policies can reference both HTTP Route and the filter
@zhaohuabing zhaohuabing added triage kind/enhancement New feature or request area/policy and removed triage labels Apr 23, 2024
@zhaohuabing zhaohuabing self-assigned this Apr 23, 2024
@zhaohuabing zhaohuabing mentioned this issue Apr 23, 2024
Draft
@sadovnikov
Copy link

Gateway API is changing support multiple targetRefs. However, using selector on labels instead of targetRefs[] is more in Kubernetes style and would allow pre-configuring the security policy for HTTP Routes, which can be created later.

@zhaohuabing
Copy link
Member Author

Gateway API is changing support multiple targetRefs. However, using selector on labels instead of targetRefs[] is more in Kubernetes style and would allow pre-configuring the security policy for HTTP Routes, which can be created later.

I prefer to keep it aligned with gateway API, but let's discuss it in next week's meeting.

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhaohuabing zhaohuabing

Labels
area/policy kind/enhancement New feature or request stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhaohuabing @sadovnikov