Single Sign-On

You can enable authentication via OpenID Connect and OAuth2 using the OpenFaaS REST API. This functionality is part of of the OpenFaaS Premium Subscription.

Try a walk-through with Okta

The easiest way to try Single Sign-On with OpenFaaS is to follow a complete walk-through. We have one for Okta here.

Deploy SSO using the helm chart (advanced)

You will need two DNS A records and to enable Ingress for your Kubernetes cluster. In the example below the sub-zone oauth.example.com is used, however you can use a top-level domain or your own sub-zone.

  • Gateway - http://gw.oauth.example.com
  • Auth - http://auth.oauth.example.com

Use arkade or helm and pass the following overrides, or edit your values.yaml file:

  1. export PROVIDER=""              # Set this to "azure" if using Azure AD.
  2. export LICENSE=""               # Obtain a trial from OpenFaaS Ltd, see above for instructions.
  3. export OAUTH_CLIENT_SECRET=""
  4. export OAUTH_CLIENT_ID=""
  5. export DOMAIN="oauth.example.com"
  7. arkade install openfaas \
  8.   --set oauth2Plugin.enabled=true \
  9.   --set oauth2Plugin.provider=$PROVIDER \
  10.   --set oauth2Plugin.license=$LICENSE \
  11.   --set oauth2Plugin.insecureTLS=false \
  12.   --set oauth2Plugin.scopes="openid profile email" \
  13.   --set oauth2Plugin.jwksURL=https://example.eu.auth0.com/.well-known/jwks.json \
  14.   --set oauth2Plugin.tokenURL=https://example.eu.auth0.com/oauth/token \
  15.   --set oauth2Plugin.audience=https://gw.$DOMAIN \
  16.   --set oauth2Plugin.authorizeURL=https://example.eu.auth0.com/authorize \
  17.   --set oauth2Plugin.welcomePageURL=https://gw.$DOMAIN \
  18.   --set oauth2Plugin.cookieDomain=.$DOMAIN \
  19.   --set oauth2Plugin.baseHost=https://auth.$DOMAIN \
  20.   --set oauth2Plugin.clientSecret=$OAUTH_CLIENT_SECRET \
  21.   --set oauth2Plugin.clientID=$OAUTH_CLIENT_ID

The authorizeURL, tokenURL and jwksURL contain my personal tenant URL, remember to customize this to your own from Auth0, or your IDP.

For cookieDomain - set the root URL of both of your sub-domains i.e. .oauth.example.com, this is so that the cookie set by the auth service can be used by the gateway.

You should also create an additional Ingress and TLS certificate as per below.

You can use the openfaas-ingress arkade app, or create an Ingress record manually.

  1.   arkade install openfaas-ingress \
  2.   --domain gw.oauth.example \
  3.   --oauth2-plugin-domain auth.oauth.example \
  4.   --email webmaster@example.com

This is an example of a manual Ingress record created without using arkade.

  1. apiVersion: extensions/v1beta1
  2. kind: Ingress
  3. metadata:
  4.   name: openfaas-auth
  5.   namespace: openfaas
  6.   annotations:
  7.     cert-manager.io/cluster-issuer: letsencrypt-prod
  8.     kubernetes.io/ingress.class: nginx
  9. spec:
  10.   rules:
  11.   - host: auth.oauth.example
  12.     http:
  13.       paths:
  14.       - backend:
  15.           serviceName: oauth2-plugin
  16.           servicePort: 8080
  17.         path: /
  18.   tls:
  19.   - hosts:
  20.     - auth.oauth.example
  21.     secretName: openfaas-auth

Gain access via the UI

The UI uses the code grant flow.

Just visit the gateway and you will be redirected to your IDP to log in: http://gw.oauth.example.com

Gain access via the CLI (interactive)

The CLI uses the implicit grant flow for interactive usage such as your daily workflow from your own computer / workstation.

Run the following:

  1. faas-cli auth \
  2.   --auth-url https://tenant0.eu.auth0.com/authorize \
  3.   --audience http://gw.oauth.example.com \
  4.   --client-id "${OAUTH_CLIENT_ID}"

You will receive a token on the command-line and same will be saved to openfaas config file. faas-cli will read the token and pass it for future commands which requires authentication.

You can also export it with export TOKEN="" and use it with any command: faas-cli list --token="${TOKEN}"

See also: faas-cli README

Gain access via the CLI for CI (non-interactive / machine-usage)

Non-inactive or machine-usage is where you need to access the gateway and you cannot follow a web-browser to authenticate. Here, you need to create a special application in your IDP. It will usually be called a “Machine Application” and has a client_id and client_secret, these are comparable to a username and password.

You will need to use the client credentials flow.

You will need this flow for any actions taken within a cron-job, broker, CI/CD job or similar server-access.

You can use faas-cli login:

  1. faas-cli login \
  2.  --username ${OAUTH_CLIENT_ID} \
  3.  --password ${OAUTH_CLIENT_SECRET}

Now run any command as usual such as faas-cli list or faas-cli deploy. The secrets will be fetched from ~/.openfaas/config.yml.

Note: some providers may also support obtaining a token for this flow, such as Auth0:

  1. faas-cli auth \
  2.   --grant client_credentials \
  3.   --auth-url https://tenant0.eu.auth0.com/oauth/token \
  4.   --client-id "${OAUTH_CLIENT_ID}" \
  5.   --client-secret "${OAUTH_CLIENT_SECRET}"\
  6.   --audience http://gw.oauth.example.com

You will receive a token on the command-line which is also saved in ~/.openfaas/config.yml.

The faas-cli will read the token and pass it for future commands which requires authentication, you can also export it with export TOKEN="" and use it with any command: faas-cli list --token="${TOKEN}"

See also: faas-cli README