Integrate your Charmed Operator with Identity and Access Proxy
Applications that do not conform to OAuth/OIDC standards or don’t offer built-in access control can be secured using the Identity and Access Proxy (IAP) solution, which offers a possibility to protect application endpoints by intercepting incoming requests and delegating the authn/authz process to the relevant components of the Identity Platform.
OAuth2 Proxy is the main entrypoint to plug the Identity and Access Proxy to your charmed operator. It can be achieved using the power of juju relations.
This guide will explain how to extend the Identity Platform with the Identity and Access Proxy solution and integrate it with your charm, allowing you to restrict access to your application to authenticated users only.
We are going to assume that:
- Your charmed application doesn’t support the OAuth 2.0/OIDC protocols, otherwise refer to this guide instead.
- Your charmed application supports integration with Charmed Traefik via
ingress-per-apporingress-per-unitinterface and provides Charmed OAuth2 Proxy with necessary data by supporting theauth_proxyinterface. - You have deployed the Identity Platform.
- You have deployed your charmed application on Kubernetes.
This deployment should be your starting point:
Model Controller Cloud/Region Version SLA Timestamp
iam my-controller microk8s/localhost 3.6.13 unsupported 16:37:26+01:00
SAAS Status Store URL
ingress active local admin/core.ingress
postgresql active local admin/core.postgresql
traefik-route active local admin/core.traefik-route
App Version Status Scale Charm Channel Rev Address Exposed Message
hydra v2.3.0 active 1 hydra latest/stable 395 10.152.183.127 no
kratos v1.3.1 active 1 kratos latest/stable 565 10.152.183.75 no
login-ui 0.24.2 active 1 identity-platform-login-ui-operator latest/stable 197 10.152.183.135 no
Unit Workload Agent Address Ports Message
hydra/0* active idle 10.1.57.184
kratos/0* active idle 10.1.57.183
login-ui/0* active idle 10.1.57.185
Offer Application Charm Rev Connected Endpoint Interface Role
kratos-info-offer kratos kratos 565 0/0 kratos-info kratos_info provider
oauth-offer hydra hydra 395 0/0 oauth oauth provider
In this guide we are going to assume you also deployed your charmed application in iam model.
In order to set up the proxy, you first need to expose forward-auth offer, enable the feature in Charmed Traefik
and integrate it with your charm via ingress relation:
juju config traefik-public enable_experimental_forward_auth=True -m core
juju offer traefik-public:experimental-forward-auth forward-auth -m core
juju integrate your-charm admin/core.ingress -m iam
The next step is to deploy Charmed OAuth2 Proxy and integrate it with Charmed Traefik with the exposed offer:
juju deploy oauth2-proxy-k8s --channel latest/stable --trust -m iam
juju integrate oauth2-proxy:forward-auth admin/core.forward-auth -m iam
You can follow the deployment status with watch -c juju status --color.
Then, integrate your charm with the proxy by running:
juju integrate oauth2-proxy-k8s your-charm:auth-proxy -m iam
Finally, integrate the proxy with Identity Platform’s OIDC provider - Charmed Hydra:
juju integrate oauth2-proxy-k8s:oauth hydra -m iam
When you access your application, Charmed Traefik will ask OAuth2 Proxy whether access to the endpoint is protected. If so, it will check if there is a valid session. In case it doesn’t find one, it will redirect to the Identity Platform login page. Upon successful authentication, you will be redirected back to your application.
See more: Charmhub | OAuth2 Proxy > Integrations