How to authenticate against a service secured by Couper OIDC Gateway

[jagoe]

Hey there,

we have a service secured by the Couper OIDC Gateway and I'd like to connect to the service's API.
In order to reach the service, I apparently need to provide a cookie with a valid JWT. My problem is, I have no idea how to get that token. The people who set up the gateway aren't working at the company anymore ;) For that reason I'm kind of stumbling around blindly.

I am able to authenticate against the underlying ID provider (Google), but I have no idea how to use Google's ID token to get a valid JWT for Couper to accept.

I'd provide more info, but as the whole thing is kind of a blackbox to me, I wouldn't know where to start.

[malud]

Hi @jagoe,
if you have to access the api via public endpoint you could call the /_couper/oidc/callback endpoint which creates the JWT token and provides the value as Set-Cookie header (https://github.com/coupergateway/couper-oidc-gateway/blob/master/couper.hcl#L47).

If you are following the linked config you will see that all endpoints are protected with the jwt access_control AccessToken. Except the oidc callback which is referring to the oidc configuration. With a valid google token you should be able to get a signed AccessToken to access the other endpoints.

[jagoe]

Hey @malud, thanks for the reply!
I had already tried that (and tried it again now), but I always get a 403. Based on the link you referenced, request.context.oidc.id_token_claims.email seems to be invalid. When I sign in normally to the service, I don't see where the ID token gets provided, so I'm unsure how and where request.context.oidc.id_token_claims gets retrieved from.
What I do see is that /_couper/oidc/callback gets provided with a code (example below), so it seems to me like the code gets used internally to retrieve the ID token. If so, I'm not sure that's a process I can insert myself into.

"Normal" callback call: https://projectile.avenga.cloud/_couper/oidc/callback?state=%2Fprojectile%2Fstart&code=<code>&scope=openid&authuser=0&prompt=none - there's no auth header and the cookies only contain an entry for _couper_authvv.

[malud]

so I'm unsure how and where request.context.oidc.id_token_claims gets retrieved from

The .oidc referring to the access control defined for this particular endpoint. .id_token_claims is just an additional variable for this access control type (oidc) and provides the claims from your oidc token (google), see https://docs.couper.io/configuration/variables.

You should have the authorization code value from your initial request to Google (https://developers.google.com/identity/openid-connect/openid-connect#exchangecode).

The question basically is what you are trying to achieve with this front channel requests since this oidc flow relies on navigational requests. While accessing the api you may have the option that your service could access the BACKEND_ORIGIN directly (internal) from your k8s cluster?

[jagoe]

I was hoping to authenticate without having to implement the workflow manually and also to access the service API from a completely different network if possible. Being able to access it from my local machine would also be nice for development.
I also needed to get a clearer picture of what I require of the service admins in order to be able to authenticate since I didn't have a clear picture of what is possible/needed.

But I think you helped me understand a bit better what I need to do. I'll try to do the code challenge "manually" for now once admin configures a redirect URI I can use and provides me with a client secret. I'll report my findings once I've made it work or have run into a wall.

[malud]

The workflow is implemented for navigation requests.

For additional information you could also have a look at:
https://github.com/coupergateway/couper-examples/tree/master/oidc
https://github.com/coupergateway/couper-examples/tree/master/jwt-access-control