Build an external filter that accepts the Authorization
header from the previous filter in line and uses it to query the User Info
endpoint. This is done by doing a generic OIDC discovery for the endpoints, specifying the User Info
endpoint and reapplying the Authorization
header to the new request. The User Info
is then returned as a golang string[map]
, which can be queried to generate response headers to send upstream.
This filter assumes you are either passing a valid Authorization
header in the Request, or you have a downstream filter that gets the Authorization
header for you.
- Clone the repo:
git clone https://github.com/cakuros/ambassador-external-filter-userinfo
. - Run
docker build -t {{DOCKERHUB_REPO}}/{{IMAGE_NAME}}:{{VERSION}} .
(don't forget the "." at the end) - Push to repo with
docker push {{DOCKERHUB_REPO}}/{{IMAGE_NAME}}:{{VERSION}}
- Modify
k8s/deploy.yaml
in the environment variableOIDC_SERVER
to point to the OIDC discovery point. In the case of Azure AD, this is "https://login.microsoftonline.com/common/v2.0", the filter automatically appends "/.well-known/oidc-configuration/" for discovery. - Modify
k8s/deploy.yaml
to point to the image hosted on Dockerhub (caseykurosawa/external-filter-userinfo:1.5, for example) - Apply the deploy yaml and wait for it to spin up.
- Change your
FilterPolicy
to include the new filter.
spec:
rules:
- filters:
- name: filter1 # <-- OAuth filter that actually gets the Access Token
arguments:
scopes:
- offline_access
- name: external-filter-userinfo # <-- Custom Filter
host: '*'
path: /backend-debug/
- in
main.go
, the User Info map is located at the end of thehandler
function, it also includes a samplex-userinfo-name
header to add the value inname
to a custom header. - If you want to add more headers to send upstream, make sure you add them to the
Filter
underspec.External.allowed_authorization_headers
in order for it to get passed along.
Starting point: https://github.com/datawire/ambassador-auth-service
Given a GET /oauth2/v3/userinfo -H "Host: {{HOSTNAME}} -H "Authorization: Bearer {{JWT}}"
return either 200 (success) or 511 for Authentication failure or 502 for IdP request failure.
-
Userinfo endpoint can be obtained by doing
GET /.well-known/openid-configuration Host: server
and searching for keyuserinfo_endpoint
from JSON body -
Pass the header "Authorization-URL" for the OIDC discovery endpoint. "/.well-known/openid-configuration" is appended to the end. (i.e. curl https://localhost:8080 -H "Authorization-URL: https://login.microsoftonline.com/common/v2.0")
-
"Authorization" header is received from initial request and passed to the userinfo endpoint for validation.