[Oauth2-proxy] Configure Oauth2-proxy with Azure Cloud.

Posted on By nim No Comments on [Oauth2-proxy] Configure Oauth2-proxy with Azure Cloud.

Chúng ta đã cấu hình Oauth2-proxy with google, cognito – AWS.
Làm thể nào để configure Oauth2-proxy with Azure Cloud.
Bạn có thể biết là số lượng công ty sử dụng tài khoản Microsoft là không nhỏ.

https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#azure-auth-provider

1) Create app registrations in Azure

Bạn có thể tham khảo bài này để chúng ta cùng tạo 1 app registrations trong Azure.
https://nimtechnology.com/2023/12/18/rancher-login-rancher-by-azure-id-or-microsoft-account/

Mình có đọc document thì họ yêu cầu Group.Read.All trong Application permissions

Tiếp đến là mình cài oauth2-proxy thông qua helm:
https://artifacthub.io/packages/helm/oauth2-proxy/oauth2-proxy

Add repository:
helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
Install chart:
helm install my-oauth2-proxy oauth2-proxy/oauth2-proxy –version 6.23.1

Bên dưới là value file.

config:
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
  existingSecret: "oauth2-proxy"
extraEnv:
  - name: OAUTH2_PROXY_CLIENT_ID
    valueFrom:
      secretKeyRef:
        key: client-id
        name: oauth2-proxy
  - name: OAUTH2_PROXY_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        key: client-secret
        name: oauth2-proxy
  - name: OAUTH2_PROXY_COOKIE_SECRET
    valueFrom:
      secretKeyRef:
        key: cookie-secret
        name: oauth2-proxy
extraArgs:
  azure-tenant: "b1351590-3037-4637-ae38-25e9a5c37e00"
  oidc-issuer-url: "https://login.microsoftonline.com/b1351590-3037-4637-ae38-25e9a5c37e00/v2.0"
  provider: azure
  provider-display-name: "Azure SSO"
  cookie-secure: true
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
ingress:
  enabled: true
  hosts:
    - workflow-XXXX-staging.metadefender.com
  path: /oauth2
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    kubernetes.io/ingress.class: "nginx"
  ingressClassName: nginx
  tls:
    - hosts:
        - workflow-XXXX-staging.metadefender.com
      secretName: tls-oauth2-proxy-ingress

Giờ mình sẽ link 1 số config cần thiết.
extraArgs:
azure-tenant: sẽ là Directory (tenant) ID
oidc-issuer-url: sẽ là “https://login.microsoftonline.com/<azure-tenant ID>/v2.0″

Environments:
OAUTH2_PROXY_CLIENT_ID: sẽ là Application (client) ID

OAUTH2_PROXY_CLIENT_SECRET sẽ là value trong Certificates & secrets.

OAUTH2_PROXY_COOKIE_SECRET Bạn sẽ cần generate string này.

# -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64`

Thường thì bạn sẽ hay có arguments.
Có 1 số arguments có liên quan đến secret thì chúng ta sẽ dụng Environment.
https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#environment-variables

OAuth2 Proxy

More Related Articles

[oauth2-proxy] Your applications is protected by Oauthen2(Google, GitHub,…) Kubernetes & Container
[Oauth2-Proxy] Protect any of your websites on Kubernetes by Oauth2-Proxy Kubernetes & Container
[Oauth2-Proxy] Oauth2-Proxy encounters issue with Cognito Kubernetes & Container
[Keycloak/OAuth2] Install Keycloak by helm on Kubernetes Kubernetes & Container
[Istio/OAuth2-Proxy] Authenticate applications on Kubernetes: Okta(OIDC), Istio, and OAuth2-Proxy integration. Isito-EnvoyFilter

Leave a Reply

Your email address will not be published. Required fields are marked *