Using OAuth2 Proxy

OAuth2 Proxy as a side-car

sequenceDiagram
    participant User as User Browser
    participant Keycloak as Keycloak
    participant Proxy as Oauth2-Proxy
    participant App as App

    Note over Proxy,App: Both in the same Kubernetes Pod

    Note over User,App: User tries to access protected resource

    User->>+Proxy: Request to access App
    Proxy->>+Keycloak: Redirect to Keycloak (Auth Request)
    Keycloak-->>-User: Keycloak Login Page

    Note over User,Keycloak: User submits credentials

    User->>+Keycloak: Authentication Information
    Keycloak->>-Proxy: Auth Response (Token)
    Proxy->>Proxy: Validates Token and Creates Session
    Proxy->>+App: Forwards Request with Session Info
    App-->>-Proxy: Serves Requested Resource
    Proxy-->>-User: Displays Resource to User

    Note over User,App: Subsequent Requests with Session Cookie

    User->>+Proxy: Request with Session Cookie
    Proxy->>+App: Forwards Request (Session Validated)
    App-->>-Proxy: Serves Requested Resource
    Proxy-->>-User: Displays Resource to User

    Note over Proxy,Keycloak: Session Expiry/Token Refresh Handled by Proxy

Explanation of the Flow

1. Initial Access Attempt: The user tries to access a protected resource in the application (App). Since the user is not yet authenticated, the request is intercepted by the oauth2-proxy.
2. Authentication with Keycloak: The oauth2-proxy redirects the user to Keycloak for authentication. The user sees the Keycloak login page and submits their credentials.
3. Token Issuance: Upon successful authentication, Keycloak issues an authentication response, typically including an ID token and possibly an access token, back to the oauth2-proxy.
4. Session Creation: The oauth2-proxy validates the tokens from Keycloak and establishes a session for the user. This session indicates that the user is authenticated.
5. Request Forwarding to the App: Now that the user is authenticated, the oauth2-proxy forwards the initial request to the App. The App serves the requested resource, which is sent back to the user through the oauth2-proxy.
6. Subsequent Requests: For subsequent requests, the user's browser includes the session cookie with the request. The oauth2-proxy recognizes the session cookie, validates the session, and forwards the request to the App without requiring the user to authenticate again. The App responds with the requested resource, and the oauth2-proxy relays this back to the user.
7. Session Management: The oauth2-proxy manages the session, including any necessary interactions with Keycloak to refresh tokens if they expire. This management ensures that the user can continue to access protected resources without needing to re-authenticate frequently.

Note

This sequence diagram and the accompanying explanation describe the flow of requests and the authentication process involving oauth2-proxy and Keycloak in a Kubernetes deployment where the oauth2-proxy and the application container (App) are deployed within the same pod, offering a clear overview of how authentication and authorization are handled in this architecture.

OAuth2 Proxy standalone with Nginx ingress support

sequenceDiagram
    participant User as User Browser
    participant Keycloak as Keycloak
    participant Proxy as Oauth2-Proxy
    participant Ingress as Ingress (Nginx)
    participant App as App

    Note over User,App: User tries to access protected resource

    User->>+Ingress: Request to access App
    Ingress->>+Proxy: Redirect to Oauth2-Proxy for Auth
    Proxy->>+Keycloak: Redirect to Keycloak (Auth Request)
    Keycloak-->>-User: Keycloak Login Page

    Note over User,Keycloak: User submits credentials

    User->>+Keycloak: Authentication Information
    Keycloak->>-Proxy: Auth Response (Token)
    Proxy->>Proxy: Validates Token and Creates Session
    Proxy->>+Ingress: Authentication Successful
    Ingress->>+App: Forwards Request to App
    App-->>-Ingress: Serves Requested Resource
    Ingress-->>-User: Displays Resource to User

    Note over User,App: Subsequent Requests with Session Cookie

    User->>+Ingress: Request with Session Cookie
    Ingress->>Proxy: Session Validation Check
    Proxy->>Ingress: Session Valid
    Ingress->>+App: Forwards Request
    App-->>-Ingress: Serves Requested Resource
    Ingress-->>-User: Displays Resource to User

    Note over Proxy,Keycloak: Session Expiry/Token Refresh Handled by Proxy

Explanation of the Flow

1. Initial Request: The user's initial attempt to access the application goes through the Ingress controller, which routes the request to the oauth2-proxy for authentication.
2. Redirect to Keycloak: oauth2-proxy then redirects the user to Keycloak for authentication. The user interacts directly with Keycloak to log in.
3. Token Issuance and Validation: After successful authentication, Keycloak issues a token back to the oauth2-proxy, which validates the token and establishes a session for the user, signaling a successful authentication.
4. Access Granted through Ingress: The oauth2-proxy informs the Ingress controller of the successful authentication, prompting the Ingress to route the request to the application.
5. Serving the Requested Resource: The application processes the request and returns the response through the Ingress controller and oauth2-proxy to the user.
6. Handling Subsequent Requests: For subsequent requests, the session cookie is presented to the Ingress, which consults the oauth2-proxy for session validation. Upon confirmation, the request is passed through to the application for processing.
7. Session Management: The oauth2-proxy takes charge of managing the user's session, including interacting with Keycloak as necessary for token refreshes, ensuring uninterrupted access for the user.