Authentication for applications in Platon PaaS

This document describes various approaches for authentication in Platon PaaS.

Possible approaches

The possible ways of doing authentication with your Platon PaaS app is:

• Full application side authentication, in which case you would need to pay special attention to scaling, if you need/want to run multiple replicas of your service, with regards to any required state.
• Using Feide OpenID Connect authentication through the use of a proxy (oauth/oidc) sidecar container.
• Using Feide SAML authentication through the use of Apache with mod_mellon. Useful for 1 replica only.
• Using the common authentication proxy in Platon PaaS and a sidecar container.

The last approach is the one that will be documented here.

Common authentication proxy

As part of Platon PaaS we have a common auth proxy that currently supports Feide SAML authentication. It might support OpenID Connect as well at a later stage. The Feide SAML metadata will be available at:

https://login.paas2.uninett.no/{namespace}/metadata

where the namespace is the namespace of your application.

Deployment considerations

When using the kubernetes-deploy image for deploying via Gitlab CI you will need an extra command when deploying, called deploy-auth-proxy. This will ensure that you have a namespace specific session store, with correct network policy rules etc.

An example .gitlab-ci.yaml could look like this.

Example deployment

Example of a deployment using the Feide test IdP:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app-with-auth
  namespace: my-project-namespace
  labels:
    app: my-app-with-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app-with-auth
  template:
    metadata:
      labels:
        app: my-app-with-auth
    spec:
      containers:
      - name: auth-sidecar
        image: registry.uninett.no/platon/paas2-auth-sidecar:v0.7
        env:
        - name: upstream_port
          value: "8080"
        - name: idp
          value: https://idp-test.feide.no
        ports:
        - name: web
          containerPort: 80
      - name: app
        image: dummy/my-example-app
        imagePullPolicy: Always
        ports:
        - name: app
          containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: my-app
  namespace: my-project-namespace
spec:
  ports:
  - port: 80
  selector:
    app: my-app-with-auth

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  namespace: my-project-namespace
  annotations:
    kubernetes.io/tls-acme: "true"
spec:
  ingressClassName: "nginx"
  tls:
    - hosts:
      - my-app.paas2.uninett.no
      secretName: my-app.paas2.uninett.no-tls
  ingressClassName: nginx
  rules:
  - host: my-app.paas2.uninett.no
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 80

Production usage

For the production use case, a couple of things will need to be adjusted.

• You should adjust the deployment yaml so that the idp env var points to the production IdP (https://idp.feide.no)
• You will need to register the service in Feide Customer Portal