...
- There is a working example of oauth2_proxy working with nginx ILB here: https://github.com/craig-willis/oauth2-k8s
- Oauth2 information (token, username, email, etc) are only available to configured oauth2_proxy upstreams.
- The upstream response codes are ignored (e.g., 401/403), so this cannot be used for authorization
- The upstream can set a cookie (i.e., token used by other applications)
- The upstream must have it's own path (i.e., something other than the already-taken start, sign_in, auth endpoints).
Other considerations/questions:
- Need to consider signup/approval process
- Namespaces can no longer be based on username (need unique ID and can use labels instead)
- Need to handle updated information from IDP (what if I change my email address?)
- Authorization must be namespace aware – can't let other users access my services
- Account record will change, for example: idp=globus, id=globusid, email=email, namespace=unique)
- Need to consider protected v unprotected routes (what needs auth/oauth, what doesn't)
Overview
| Gliffy Diagram | ||
|---|---|---|
|
...