github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-08 09:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
95 Commits 2 Branches 0 Tags
ae2ca7ae9aa3909dc7bce8db7c7334574b77abad
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Morten Lied Johansen ae2ca7ae9a Add versions in use panel to dashboard
2021-09-29 22:02:28 +02:00
.github/workflows
ci: byttet til SRVNAIS_REPO_PUSH_PAT
2021-09-08 14:18:54 +02:00
.nais
whoops, i meant 8090
2021-08-18 10:19:51 +02:00
cmd/wonderwall
Do graceful shutdown on signals
2021-09-28 21:29:33 +02:00
hack
Add versions in use panel to dashboard
2021-09-29 22:02:28 +02:00
pkg
Register the metrics we collect
2021-09-29 22:01:00 +02:00
.gitignore
Do graceful shutdown on signals
2021-09-28 21:29:33 +02:00
docker-compose.yml
make redis support configurable
2021-08-24 13:07:57 +02:00
Dockerfile
build: bump go to 1.17
2021-09-29 09:22:25 +02:00
go.mod
build: bump go to 1.17
2021-09-29 09:22:25 +02:00
go.sum
add http request metrics
2021-09-02 11:16:45 +02:00
Makefile
makefile for integration tests
2021-08-24 13:11:11 +02:00
README.md
docs: write an actual readme
2021-09-29 09:38:52 +02:00
version.sh
use ci
2021-08-17 13:57:06 +02:00

README.md

wonderwall

anyway here's wonderwall

wonderwall is an application that implements OpenID Connect in a way that makes it easy to plug into Kubernetes as a sidecar. As such, this is OIDC as a sidecar, or OaaS, or to explain the joke: Oasis - Wonderwall

About

Wonderwall currently implements a client that follows ID-porten's preferred setup:

  • OpenID Connect Authorization Code Flow with mandatory use of PKCE, state and nonce - aiming to be compliant with OAuth 2.1.
  • Validation of id_token in accordance with the OpenID Connect Core specifications.
  • Client authentication with the authorization server as per RFC 7523, Section 2.2.
  • Support for RP-initiated logout.
  • Support for front-channel logout.

Endpoints

Wonderwall exposes and owns these endpoints (which means they will never be proxied downstream):

  • /oauth2/login redirects the user to ID-porten to perform the OpenID Connect Authorization Code Flow.
  • /oauth2/callback handles callbacks from ID-porten as part of the OpenID Connect Authorization Code Flow.
  • /oauth2/logout triggers self-initiated/RP-initiated logout.
  • /oauth2/logout/frontchannel implements front-channel logout.

Functionality

Wonderwall functions as an optionally intercepting reverse proxy that proxies requests to a downstream host.

By default, it does not actually intercept any requests other than to remove the Authorization header if the user agent does not have a valid session with Wonderwall.

Usage

In order to initiate authenticated user sessions, the user must be redirected to the /oauth2/login endpoint, which performs the OIDC Auth Code flow. The user will then be redirected back to the downstream application, with the Authorization header containing a Bearer access token. As long as the user has an active session with Wonderwall, all further requests to the downstream application will have the Authorization header set.

Development

Requirements

  • Go 1.17

Configuration

Required

  • IDPORTEN_CLIENT_ID
    Client ID for the client at ID-porten.
  • IDPORTEN_CLIENT_JWK
    Private key belonging to the client in JWK format.
  • IDPORTEN_REDIRECT_URI
    Valid pre-registered redirect URI that ID-porten should redirect the user to as part of the authentication flow.
    For example: http://localhost:8090/oauth2/callback
  • IDPORTEN_WELL_KNOWN_URL
    Well-known OpenID Configuration endpoint for ID-porten: https://docs.digdir.no/oidc_func_wellknown.html.

Optional

Wonderwall can be configured using either command-line flags or equivalent environment variables (i.e. -, . -> _ and uppercase).

Build with make wonderwall and run ./bin/wonderwall --help to see the available flags.

Reference in New Issue View Git Blame Copy Permalink
Description
openid connect relying party as a sidecar/service
nav-authnz
Readme MIT 3.9 MiB
Languages
Go 97.7%
Smarty 1.5%
Nix 0.4%
CSS 0.3%
Dockerfile 0.1%