OIDC authentication using Entra ID

[fad3t]

Hi everyone,
I'm giving the Envoy Gateway a try and wanted to test the OIDC authentation using Entra ID.
I more or less followed the guide described here, however I'm unable to get to the web page - I'm getting a "The page isn't redirecting properly".
From what I see in my browser logs, going to / redirects me to Entra ID (so far so good), auth is happening and brings me back to the callback URL (https://example.com/oauth2/callback in my case). This call redirects me to /, which sends me again to Entra ID etc etc..
The web page is served by a basic NGINX container - this works well if I remove the security policy.
I suppose I'm missing a step or something, but cannot figure out what -- any hint would be welcome!

[fad3t]

Adding some manifests:

The security policy:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: web-oidc
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: web
  oidc:
    provider:
      issuer: "https://login.microsoftonline.com/<snip>/v2.0"
    clientID: "<snip>"
    clientSecret:
      name: "web-oidc-secret"
    redirectURL: "https://example.com/oauth2/callback"
    logoutPath: "/logout"

The HTTP route:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: web
spec:
  hostnames:
  - example.com
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: envoy-gateway
    sectionName: websecure
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: web
      port: 8080
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /

And the gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    cert-manager.io/cluster-issuer: google-trust-services
  name: envoy-gateway
spec:
  gatewayClassName: eg
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: example.com
    name: websecure
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: web-tls
      mode: Terminate

[arkodg]

@fad3t can you also share the Envoy Gateway version you are using ? is it v1.1.3 or v1.2.1 ?
some users have encountered #4678 with v1.2.1 and reverting to v1.1.3 seems to have resolved their issue

[fad3t]

Oh right, I'm using 1.2.1. I'll give 1.1.3 a try and let you know.

[arkodg]

cc @zhaohuabing

[fad3t]

Same issue with 1.1.3 :(

[arkodg]

thanks for checking, @zhaohuabing should be able to help with pointers

[zhaohuabing]

Hi @fad3t I'm trying to reproduce this with Entra ID. You could also try the same configuration with the Google OIDC provider and see if it works.

[fad3t]

Apologies, I just gave it another try and somehow it is now working..
No idea what happened (maybe needed some time for the Entra ID application to become fully available..?).
Thx anyway for your time!

[zhaohuabing]

No worries at all! I’m glad to hear it’s now working for you. If you run into any other issues or have more questions, feel free to reach out.