README.md

Kubernetes Authentication Service

This provides api for authentication via Ldap, OAuth2.

Installation Steps

cd /root/kubeauthentication
./run_kubeauth.sh

1. It uses helm to deploy the service. The charts are present in chart directory.
2. Ldap application should be running if you want to authenticate user using ldap.
3. In order to use Auth0, we need below information
   1. Client ID
   2. Client Secret
   3. Realm The Link contains how to set up application and use oauth. For setting up Auth0 also look into Edward Viaene tutorial on Learn DevOps: Advanced Kubernetes Usage. In this tutorial go to authentication and authorization video.
   4. application.yml should contains oauth2 details for authentication to work.
   5. Please refer link to understand authentication using OIDC
   6. 

Information about the service

1. it provides /kubectl rest api for authentication via cli. The api returns the id_token which is used by cli to provide to kubernetes service. it uses Auth0 OpenId connect for authentication.

alias kctl='kubectl --kubeconfig=/root/oauth.conf --token=$(python3 /root/kubernetes/install_k8s/kube-login/cli-auth.py)' 

2. It provides /check and /authenticate api which is used by ingress controller to authenticate user when they access protected url. It uses ldap for authentication. /check rest api send 401 (UnAuthorized) if the user is not authenticated, and 200 (OK) is the user is authenticated. /authenticate rest api presents login page to the user. Upon successful authentication, it redirects user to the target page which was sent by the ingress controller to the login service a request parameter.

Tags which should be put in Ingress resource to enable authentication via this service is:

nginx.ingress.kubernetes.io/auth-signin: https://master.cloud.com:32028/authenticate nginx.ingress.kubernetes.io/auth-url: https://master.cloud.com:32028/check

3. It provides /oauth2/token api for authenticating user using Auth0 OpenId Connect. It provides id_token and access_token as response to user.

Documents and Useful Link

• Below links provide good architecture and code examples of customizing spring security

  1. https://www.bezkoder.com/spring-boot-jwt-mysql-spring-security-architecture It Implements below architecture

  2. https://www.bezkoder.com/spring-boot-jwt-authentication/

• Udemy tutorials

  1. Spring Boot Security and oAuth2 in depth from scratch
  2. OAuth 2-0 in Spring Boot Applications
  3. Spring Security Zero to Master along with JWT,OAUTH2
  4. Learn DevOps Advanced Kubernetes Usage (Authentication and Authorization)

• Good Slides to learn about Oauth

OAuth 2 Grant Types

1. Authorization Code Grant Type
2. Client Credentials
3. Password
4. Device flow
5. PKCE-Enhanced Authorization code
6. Refreshing Access Token

Information about Cors and Csrf Link