DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Secure Your API With JWT: Kong OpenID Connect
  • API Authentication Using Azure AD in IBM API Connect
  • Using OKTA as Client Provider in Mulesoft
  • API and Security: From IT to Cyber

Trending

  • Agile’s Quarter-Century Crisis
  • Building Reliable LLM-Powered Microservices With Kubernetes on AWS
  • Operational Principles, Architecture, Benefits, and Limitations of Artificial Intelligence Large Language Models
  • Next Evolution in Integration: Architecting With Intent Using Model Context Protocol
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Authenticate With OpenID Connect and Apache APISIX

Authenticate With OpenID Connect and Apache APISIX

We want to avoid being locked into one identity provider. Here, see a demo of how to use OpenID Connect using Google underneath and then switch to Azure.

By 
Nicolas Fränkel user avatar
Nicolas Fränkel
DZone Core CORE ·
Mar. 08, 23 · Tutorial
Likes (6)
Comment
Save
Tweet
Share
4.7K Views

Join the DZone community and get the full member experience.

Join For Free

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure.

OpenID Connect

The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2.0 became an IETF RFC in 2012:

The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf

- RFC 7469, The OAuth 2.0 Authorization Framework

OAuth focuses mostly on authorization; the authentication part is pretty light: it contains a section about Client Password authentication and one Other Authentication Methods.

The authorization server MAY support any suitable HTTP authentication
scheme matching its security requirements. When using other
authentication methods, the authorization server MUST define a
mapping between the client identifier (registration record) and
authentication scheme.

- 2.3.2. Other Authentication Methods

OpenID Connect uses OAuth 2.0 and adds the authentication part:

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and logout, when it makes sense for them.

- "What is OpenID Connect?"

Here are a couple of identity providers that are compatible with OpenID Connect:

  • GitHub
  • Google
  • Microsoft
  • Apple
  • Facebook
  • Twitter
  • Spotify

In the following, we will start with Google and switch to Azure to validate our setup.

Setting up OpenID Connect With Apache APISIX

Imagine we have a web app behind Apache APISIX that we want to secure with OpenID Connect. Here's the corresponding Docker Compose file:

YAML
 
version: "3"

services:
  apisix:
    image: apache/apisix:3.1.0-debian                              #1
    ports:
      - "9080:9080"
    volumes:
      - ./apisix/config.yml:/usr/local/apisix/conf/config.yaml:ro  #2
      - ./apisix/apisix.yml:/usr/local/apisix/conf/apisix.yaml:ro  #3
    env_file:
      - .env
  httpbin:
    image: kennethreitz/httpbin                                    #4


  1. Apache APISIX API Gateway
  2. APISIX configuration - used to configure it statically in the following line
  3. Configure the single route.
  4. Webapp to protect - any will do

Apache APISIX offers a plugin-based architecture. One such plugin is the openid-connect plugin, which allows using OpenID Connect.

Let's configure it:

YAML
 
routes:
  - uri: /*                                                                    #1
    upstream:
      nodes:
        "httpbin:80": 1                                                        #1
    plugins:
      openid-connect:
        client_id: ${{OIDC_CLIENTID}}                                          #2
        client_secret: ${{OIDC_SECRET}}                                        #2
        discovery: https://${{OIDC_ISSUER}}/.well-known/openid-configuration   #2-3
        redirect_uri: http://localhost:9080/callback                           #4
        scope: openid                                                          #5
        session:
          secret: ${{SESSION_SECRET}}                                          #6
#END


  1. Catch-all route to the underlying web app
  2. Plugin configuration parameters - Values depend on the exact provider (see below).
  3. OpenID Connect can use a Discovery endpoint to get all necessary OAuth endpoints. See OpenID Connect Discovery 1.0 spec for more information
  4. Where to redirect when the authentication is successful - It mustn't clash with any of the explicitly defined routes. The plugin creates a dedicated route there to work its magic.
  5. Default scope
  6. Key to encrypt session data - Put whatever you want.

Configuring Google for OIDC

Like all Cloud Providers, Google offers a full-fledged Identity Management solution, which may be daunting for newcomers. In this section, I'll only detail the necessary steps required to configure it for OIDC.

  • On the Cloud Console, create a dedicated project (or use an existing one).
  • If you didn't do it already, customize the OAuth Consent Screen.
  • In the project context, navigate APIs & Services/Credentials.

Google Cloud Console > APIs & Services

  • Then, press the + CREATE CREDENTIALS button in the upper menu bar.

  • Select OAuth Client Id in the scrolling menu.

Select OAuth Client Id in the scrolling menu

  • Fill in the fields:
    • Application type: Web application
    • Name: Whatever you want
    • Authorized redirect URIs: /callback, e.g., http://localhost:9080/callback

Create OAuth Client ID: Fill in the fields

URL should be the URL of the web application. Likewise, /callback should match the openid-connect plugin configuration above. Note that Google doesn't allow relative URLs, so if you need to reuse the application in different environments, you need to add the URL of each environment. Click the Create button.

OAuth Client Created

  • In the Docker Compose configuration above, use the Client ID and Client Secret as OIDC_CLIENTID and OIDC_SECRET. I wrote them down as environment variables in a .env file.
  • The last missing variable is OIDC_ISSUER: it's accounts.google.com. If you navigate to this page, you'll see all data required by OAuth 2.0 (and more).

At this point, we can start our setup with docker compose up. When we navigate to http://localhost:9080/, the browser redirects us to the Google authentication page. Since I'm already authenticated, I can choose my ID - and I need one bound to the organization of the project I created above.

Sign in with Google > Choose an account

Then, I can freely access the resource.

Configuring Azure for OIDC

My colleague Bobur has already described everything you need to do to configure Azure for OIDC.

We only need to change the OIDC parameters:

  • OIDC_CLIENTID
  • OIDC_SECRET
  • OIDC_ISSUER: On Azure, it should look something like login.microsoftonline.com//v2.0. 

If you restart Docker Compose with the new parameters, the root page is now protected by Azure login.

Conclusion

Externalizing your authentication process to a third party may be sensible, but you want to avoid binding your infrastructure to its proprietary process. OpenID Connect is an industry standard that allows switching providers easily.

Apache APISIX offers a plugin that integrates OIDC so that you can protect your applications with the latter. There's no reason not to use it, as all dedicated identity providers, such as Okta and Keycloak, are OIDC-compatible.

The complete source code for this post can be found on GitHub.

To Go Further:

  • OpenID Connect Discovery 1.0 specification
  • Apache APISIX OIDC plugin
  • Use Keycloak with API Gateway to secure APIs
  • How to Use Apache APISIX Auth With Okta
API OpenID authentication azure security

Published at DZone with permission of Nicolas Fränkel, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Secure Your API With JWT: Kong OpenID Connect
  • API Authentication Using Azure AD in IBM API Connect
  • Using OKTA as Client Provider in Mulesoft
  • API and Security: From IT to Cyber

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!