Skip to content

Log in usersΒΆ

This guide shows you how to log in users to your application with the login proxy.

PrerequisitesΒΆ

  • Your application is exposed to the appropriate audience.
  • You have a client ID and either a client secret or private key for a client registered at an OpenID Connect identity provider.

Configure the secretΒΆ

Create a secret for your team with the following the naming format

login-config-<application-name>

and add the following keys:

WONDERWALL_OPENID_CLIENT_ID

The client ID for your application.

WONDERWALL_OPENID_WELL_KNOWN_URL

Optional. Only required of your organization doesn't set a default value.

The well-known URL for the OpenID Connect provider, e.g. https://<provider>/well-known/openid-configuration.

and either (at most one of):

WONDERWALL_OPENID_CLIENT_JWK

This is a private key in JWK format, e.g. {"kty":"RSA","e":"AQAB","kid":"my-key-id",...}.

WONDERWALL_OPENID_CLIENT_SECRET

The client secret for your application.

Optionally, add additional environment variables to the secret to configure the login proxy further. See the Wonderwall configuration reference for all available options.

Configure your applicationΒΆ

Enable the proxy in your application configuration:

app.yaml
spec:
  login:
    provider: openid

To enforce authentication for all requests, add the following configuration:

app.yaml
spec:
  login:
    provider: openid
    enforce:
      enabled: true

See the NAIS application reference for the complete specifications with all possible options.

Now that your application is configured, you should handle inbound requests in your application code.

Handle inbound requestsΒΆ

As long as the user is authenticated, the Authorization header includes their access_token as a Bearer token.

Your application is responsible for verifying that this token is present and valid. To do so, follow these steps:

Handle missing or empty Authorization headerΒΆ

If the Authorization header is missing or empty, the user is unauthenticated.

Return an appropriate HTTP status code to the frontend, and redirect the user agent to the login endpoint:

https://<ingress>/oauth2/login

Validate token in Authorization headerΒΆ

If the Authorization header is present, validate the Bearer token within. If invalid, redirect the user to the login endpoint:

https://<ingress>/oauth2/login

πŸ’‘ Learn more about the login proxy.

πŸ“š See Login proxy reference for technical details.