tl;dr

A poor mans version of beyondcorp, using traefik and openID Connect on kubernetes to create an Identity Aware Proxy.

history

As I was running more and more services on my kubernetes “cluster”, I got sick of logging in to all of them individually. So I set out to create a poor mans single sign on solution.
It uses traefik’s ForwardAuth option to authenticate and authorize every request received by traefik. If the auth server returns a 2xx response, traefik will proxy the request to the resource’s backend. Any other response is realyed to the requesting client.

It basically works like this:

  • user requests example.com
  • traefik first calls the auth server before proxying the request
  • auth server determines if user is logged in
    • if user is logged in, and allowed to access the resource returns a 200 response (with some optional headers)
    • if user is logged in, and not allowed to access the resource, it returns a 403
    • if user is not logged, user gets redirected to the sign in page (which in itself redirects to an openID connect endpoint) and after successful auth the request is retried
  • logging in to the beyondauth endpoint sets a domain wide cookie that is used to determine the users identity

rules

The BeyondAuth endpoint allows setting up rules to allow or deny access based on e-mail address, e-mail domain and source ip. You can also mark a resource as public which is very useful for resources that have their own auth scheme (like minio).

An example rules file:

defaultPolicy = "deny" #default policy is always deny

[groups.admin]
domains = [ "gnur.nl" ]

[groups.anyone]
domains = [ "gmail.com", "gnur.nl" ]

[groups.home]
subnets = [ "0.0.0.0/32" ]

[groups.superadmin]
users = [ "[email protected]" ]

[hosts."s3.example.com"]
public = true

[hosts."booksing.example.com"]
allowedGroups = [ "anyone" ]

[hosts."memgo.example.com"]
public = false
allowedGroups = [ "home", "admin" ]

[hosts."quice.example.com"]
public = false
allowedGroups = [ "superadmin" ]

technologies

  • openID Connect
  • go
  • kubernetes
  • traefik
  • JWT