DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Authenticate With OpenID Connect and Apache APISIX

Authenticate With OpenID Connect and Apache APISIX

We want to avoid being locked into one identity provider. Here, see a demo of how to use OpenID Connect using Google underneath and then switch to Azure.

Nicolas Fränkel user avatar by
Nicolas Fränkel
CORE ·
Mar. 08, 23 · Tutorial
Like (6)
Save
Tweet
Share
3.51K Views

Join the DZone community and get the full member experience.

Join For Free

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure.

OpenID Connect

The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2.0 became an IETF RFC in 2012:

The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf

- RFC 7469, The OAuth 2.0 Authorization Framework

OAuth focuses mostly on authorization; the authentication part is pretty light: it contains a section about Client Password authentication and one Other Authentication Methods.

The authorization server MAY support any suitable HTTP authentication
scheme matching its security requirements. When using other
authentication methods, the authorization server MUST define a
mapping between the client identifier (registration record) and
authentication scheme.

- 2.3.2. Other Authentication Methods

OpenID Connect uses OAuth 2.0 and adds the authentication part:

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and logout, when it makes sense for them.

- "What is OpenID Connect?"

Here are a couple of identity providers that are compatible with OpenID Connect:

  • GitHub
  • Google
  • Microsoft
  • Apple
  • Facebook
  • Twitter
  • Spotify

In the following, we will start with Google and switch to Azure to validate our setup.

Setting up OpenID Connect With Apache APISIX

Imagine we have a web app behind Apache APISIX that we want to secure with OpenID Connect. Here's the corresponding Docker Compose file:

YAML
 
version: "3"

services:
  apisix:
    image: apache/apisix:3.1.0-debian                              #1
    ports:
      - "9080:9080"
    volumes:
      - ./apisix/config.yml:/usr/local/apisix/conf/config.yaml:ro  #2
      - ./apisix/apisix.yml:/usr/local/apisix/conf/apisix.yaml:ro  #3
    env_file:
      - .env
  httpbin:
    image: kennethreitz/httpbin                                    #4


  1. Apache APISIX API Gateway
  2. APISIX configuration - used to configure it statically in the following line
  3. Configure the single route.
  4. Webapp to protect - any will do

Apache APISIX offers a plugin-based architecture. One such plugin is the openid-connect plugin, which allows using OpenID Connect.

Let's configure it:

YAML
 
routes:
  - uri: /*                                                                    #1
    upstream:
      nodes:
        "httpbin:80": 1                                                        #1
    plugins:
      openid-connect:
        client_id: ${{OIDC_CLIENTID}}                                          #2
        client_secret: ${{OIDC_SECRET}}                                        #2
        discovery: https://${{OIDC_ISSUER}}/.well-known/openid-configuration   #2-3
        redirect_uri: http://localhost:9080/callback                           #4
        scope: openid                                                          #5
        session:
          secret: ${{SESSION_SECRET}}                                          #6
#END


  1. Catch-all route to the underlying web app
  2. Plugin configuration parameters - Values depend on the exact provider (see below).
  3. OpenID Connect can use a Discovery endpoint to get all necessary OAuth endpoints. See OpenID Connect Discovery 1.0 spec for more information
  4. Where to redirect when the authentication is successful - It mustn't clash with any of the explicitly defined routes. The plugin creates a dedicated route there to work its magic.
  5. Default scope
  6. Key to encrypt session data - Put whatever you want.

Configuring Google for OIDC

Like all Cloud Providers, Google offers a full-fledged Identity Management solution, which may be daunting for newcomers. In this section, I'll only detail the necessary steps required to configure it for OIDC.

  • On the Cloud Console, create a dedicated project (or use an existing one).
  • If you didn't do it already, customize the OAuth Consent Screen.
  • In the project context, navigate APIs & Services/Credentials.

Google Cloud Console > APIs & Services

  • Then, press the + CREATE CREDENTIALS button in the upper menu bar.

  • Select OAuth Client Id in the scrolling menu.

Select OAuth Client Id in the scrolling menu

  • Fill in the fields:
    • Application type: Web application
    • Name: Whatever you want
    • Authorized redirect URIs: /callback, e.g., http://localhost:9080/callback

Create OAuth Client ID: Fill in the fields

URL should be the URL of the web application. Likewise, /callback should match the openid-connect plugin configuration above. Note that Google doesn't allow relative URLs, so if you need to reuse the application in different environments, you need to add the URL of each environment. Click the Create button.

OAuth Client Created

  • In the Docker Compose configuration above, use the Client ID and Client Secret as OIDC_CLIENTID and OIDC_SECRET. I wrote them down as environment variables in a .env file.
  • The last missing variable is OIDC_ISSUER: it's accounts.google.com. If you navigate to this page, you'll see all data required by OAuth 2.0 (and more).

At this point, we can start our setup with docker compose up. When we navigate to http://localhost:9080/, the browser redirects us to the Google authentication page. Since I'm already authenticated, I can choose my ID - and I need one bound to the organization of the project I created above.

Sign in with Google > Choose an account

Then, I can freely access the resource.

Configuring Azure for OIDC

My colleague Bobur has already described everything you need to do to configure Azure for OIDC.

We only need to change the OIDC parameters:

  • OIDC_CLIENTID
  • OIDC_SECRET
  • OIDC_ISSUER: On Azure, it should look something like login.microsoftonline.com//v2.0. 

If you restart Docker Compose with the new parameters, the root page is now protected by Azure login.

Conclusion

Externalizing your authentication process to a third party may be sensible, but you want to avoid binding your infrastructure to its proprietary process. OpenID Connect is an industry standard that allows switching providers easily.

Apache APISIX offers a plugin that integrates OIDC so that you can protect your applications with the latter. There's no reason not to use it, as all dedicated identity providers, such as Okta and Keycloak, are OIDC-compatible.

The complete source code for this post can be found on GitHub.

To Go Further:

  • OpenID Connect Discovery 1.0 specification
  • Apache APISIX OIDC plugin
  • Use Keycloak with API Gateway to secure APIs
  • How to Use Apache APISIX Auth With Okta
API OpenID authentication azure security

Published at DZone with permission of Nicolas Fränkel, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Strategies for Kubernetes Cluster Administrators: Understanding Pod Scheduling
  • When Should We Move to Microservices?
  • What Is API-First?
  • What “The Rings of Power” Taught Me About a Career in Tech

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: