In this tutorial, we'll walk you through the process of securing the communication to your applications using an OIDC workflow with Gloo Mesh and Keycloak. Whether you're a developer or an IT professional, implementing this workflow will enhance your application's security and ensure only authorized users gain access.

First, we deploy Keycloak as our Identity Provider (IDP) in the cluster. Don't worry if you already have your IDP deployed elsewhere; this guide is adaptable to various IDPs that support OIDC workflows. We'll create two users, "userone@example.com" and "usertwo@solo.io," setting the stage for authorization rules later in the workshop.

Once Keycloak is up and running, we'll configure it to handle user authentication, allowing you to obtain a token from Keycloak as an admin. This token will enable us to automatically create the necessary resources, including the users.

Next, we'll delve into the OIDC workflow by creating an OAuth secret that corresponds with the Keycloak secret. With this in place, we'll implement an extauth policy in Gloo, a powerful tool that applies to routes based on labels. This policy will redirect incoming requests to Keycloak for user authentication. Keycloak will generate an ID token (JOT token), which we'll store in Redis. Instead of storing the token in the user's browser as a cookie, we'll create a more secure approach, using Redis to store the JOT token and a session cookie in the user's browser. This ensures smoother authentication and avoids cookie size limitations.

With the OIDC workflow in place, we'll move on to configuring the extauth server, a vital component in this setup. You can choose to have multiple extauth servers for different teams, but for this demonstration, we'll use a single extauth server for the cluster. This setup allows the extauth server to retrieve the JOT token from Redis on behalf of the user.

Enhancing the security further, we'll use the Open Policy Agent (OPA) Library embedded in the extauth server. With OPA's regal language, we'll define authorization rules based on user email claims. The rules state that if the email claim ends with "@solo.io," the user is authorized; otherwise, access is denied.

After creating the config map to store the authorization rules, we'll update the extauth policies with the new rule, comprising two steps: user authentication and user authorization.

As we wrap up the tutorial, you'll witness the final implementation in action. When trying to access the application, you'll be redirected to Keycloak for authentication. We'll demonstrate successful authentication with user one and user two, showcasing how the authorization rules come into play. If your email matches the authorized domain, access is granted; otherwise, a 403 Forbidden response is generated.

With this comprehensive guide, you'll have a better understanding of securing your application's communication using OIDC workflows with Gloo and Keycloak. Stay tuned for more exciting content and best practices to enhance your application's security and performance. Don't forget to subscribe and hit the notification bell to stay up-to-date with our latest tutorials!

свернуть