Configure OIDC SSO with ASM Security Policy - Alibaba Cloud Service Mesh

OpenID Connect (OIDC) adds an identity layer on top of OAuth 2.0, enabling single sign-on (SSO) across multiple applications. With an ASM security policy, you can authenticate users through Alibaba Cloud Identity as a Service (IDaaS) or any OIDC-compliant identity provider (IdP) -- without modifying your application code.

How it works

When OIDC SSO is enabled on an ASM ingress gateway, the following flow occurs:

A user sends a request to a protected path on the ingress gateway.
The gateway checks for a valid session cookie. If no valid cookie exists, the gateway redirects the user to the IdP login page.
After the user authenticates with the IdP, the IdP redirects the user back to the gateway's callback URL (/oauth2/callback) with an authorization code.
The gateway exchanges the authorization code for tokens, sets a session cookie, and forwards the user to the originally requested path.
Subsequent requests include the session cookie, so the gateway allows them through without repeating the authentication flow.

Paths that match a "bypass" rule skip this flow entirely and remain publicly accessible.

Prerequisites

Before you begin, make sure that you have:

An application deployed in the ASM instance. For more information, see Deploy applications in clusters associated with ASM instances
An ingress gateway with a known IP address. For more information, see Create an ingress gateway
Automatic sidecar injection enabled. For more information, see Configure a sidecar injection policy
An Istio gateway and a virtual service that expose the following paths through the ingress gateway. For setup instructions, see Step 1 through Step 3 in Use Istio resources to route traffic to different versions of a service
```
  http://<ingress-gateway-ip>/productpage
  http://<ingress-gateway-ip>/api/v1/products/1
  http://<ingress-gateway-ip>/static/jquery.min.js
```
A configured IdP. For more information, see Step 1 and Step 2 in Integrate Alibaba Cloud IDaaS with ASM to implement single sign-on

After you configure the IdP, collect the following values for use in Step 3: Configure OIDC settings:

redirect uri: http://${IP address of the ingress gateway}/oauth2/callback
issuer: https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_tbn25osdlmz6gtqfq3j2pz****/app_ml5tzapsl7zmfo53wb3nwk****/oidc
client id: app_ml5tzapsl7zmfo53wb3nwk****
client secret: CSCfHeZ1nyvfMWyKHtE8ZRdif7j89dv9CvmJLurtGC****

Create the OIDC SSO security policy

This procedure uses Alibaba Cloud IDaaS as the IdP. If you use a self-managed IdP such as Keycloak, see Integrate Keycloak with ASM to implement SSO.

Step 1: Open the ASMSecurityPolicy page

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the target ASM instance.
In the left-side navigation pane, choose Mesh Security Center > ASMSecurityPolicy.

Step 2: Start the OIDC policy wizard

On the ASMSecurityPolicy page, click Create.
In the Create ASMSecurityPolicy dialog box, click OIDC Single Sign-On, and then click OK.

Step 3: Configure OIDC settings

In the OIDC Config step of the wizard, configure the following parameters, and then click Next.

Parameter	Description
ASMSecurityPolicyName	A name for the policy. Example: `test-oidc`.
Redirect address	The method used to build the redirect URL. Select Use ingressgateway IP address, and then select http and your ingressgateway. Alternatively, select Customized Domain to use a custom domain name.
Callback Address	The redirect URI registered with the IdP (for example, `http://<ingress-gateway-ip>/oauth2/callback`).
OIDC Issuer URL	The OIDC issuer URL from the IdP.
Client ID	The client ID from the IdP.
Client Secret	The client secret from the IdP.
Cookie Secret	A Base64-encoded seed string used to sign session cookies.
Cookie Expire	How long the session cookie remains valid. Set to `0` so that the cookie does not expire.
Cookie refresh interval	How often the cookie is refreshed. Set to `0` to disable automatic refresh.
Scopes	The types of user information that can be obtained. The specified scopes must be supported by the IdP. For more information, see Integrate Alibaba Cloud IDaaS with ASM to implement single sign-on.

Step 4: Define workload match rules

In the Workload and Match Rules step, click Add Workload Group.

In the New Workload Group dialog box, configure the following parameters:

Parameter	Description
Workload Group Name	A name for the workload group. Example: `test-policy`.
Workload List	The ingress gateway selected in the previous step. This value is auto-populated and cannot be changed. To select a different ingress gateway, go back to the OIDC Config step and change the Redirect address setting.
Match Rule List	The match mode and path rules. Two modes are available: - Auth If Matched: requests to matching paths require OIDC authentication. - Bypass Auth If Matched: requests to matching paths skip authentication.

For this example, select Auth If Matched, select Custom Matching Rules for Matching Rules, and click Add Match Rule to create the following rules: These rules require OIDC authentication for any request to a path starting with /static or /api.
- Rule 1: Turn on the Path switch and set the value to /static/*.
- Rule 2: Turn on the Path switch and set the value to /api/*.
Click OK, and then click Submit.

Note

If you set Redirect address to Customized Domain in the OIDC Config step, add workloads manually: click Add Workload, select Gateway Scope, choose the target workload, and click the add icon to move it to the selected box.

In the Complete step, the message "ASMSecurityPolicy Creation successfully" confirms that the policy was created. Click YAML to review the generated resources, or click Complete to return to the ASMSecurityPolicy page.

Verify the configuration

Open a browser and visit the following URLs. Replace <ingress-gateway-ip> with the IP address of your ingress gateway.

http://<ingress-gateway-ip>/productpage
http://<ingress-gateway-ip>/api/v1/products/1
http://<ingress-gateway-ip>/static/jquery.min.js

Expected results:

/productpage -- The page loads without a login prompt, because this path does not match any authentication rule.
/api/* and /static/* -- The browser redirects to the IdP login page, because these paths match the Auth If Matched rules.

Update the OIDC SSO policy

After the initial setup, you can change which paths require authentication and which paths bypass it.

Modify match rules

On the ASMSecurityPolicy page, find the policy and click Edit in the Actions column.
In the OIDC Config step, click Next.
In the Workload and Match Rules step, find the workload group and click Edit in the Operator column.
Change Match Mode to Bypass Auth If Matched.
Click Add Match Rule and configure the following rules: These rules allow unauthenticated access to paths starting with /productpage and /static. All other paths require authentication.
- Rule 1: Turn on the Path switch and set the value to /productpage.
- Rule 2: Turn on the Path switch and set the value to /static/*.
Click OK, and then click Submit.

Verify the updated configuration

Open an incognito browser window to avoid cached sessions, and visit the same URLs:

http://<ingress-gateway-ip>/productpage
http://<ingress-gateway-ip>/api/v1/products/1
http://<ingress-gateway-ip>/static/jquery.min.js

Expected results:

/productpage and /static/* -- The pages load without a login prompt.
/api/* -- The browser redirects to the IdP login page.

References

For OIDC application settings such as API operations, secret rotation, grant types, and IDaaS configurations, see General Config, Configure SSO, OIDC SSO Configuration, and Rules for OIDC id_token Extended Fields.
To enable global logout so that signing out of one application terminates the IDaaS session across all applications, see SLO.