README
¶
wonderwall
Wonderwall is an application that implements an OpenID Connect (OIDC) relying party/client in a way that makes it easy to plug into Kubernetes applications as a sidecar.
As such, this is OIDC as a sidecar, or OaaS, or to explain the joke:
Oasis - Wonderwall
Wonderwall functions as a reverse proxy that should be placed in front of your application; intercepting and proxying requests. It provides endpoints to perform logins and logouts for end users, along with session management - so that your application does not have to.
Features
Wonderwall aims to be compliant with OAuth 2.1, and supports the following:
- OpenID Connect Authorization Code Flow with mandatory use of PKCE, state and nonce
- Client authentication using client assertions (
private_key_jwt) as per RFC 7523, Section 2.2 - OpenID Connect RP-Initiated Logout
- OpenID Connect Front-Channel Logout
- Encrypted sessions with XChaCha20-Poly1305, stored using Redis as the backend
- Two deployment modes:
- Standalone mode (default) for zero-trust based setups where each application has its own perimeter and client
- Single sign-on (SSO) mode for shared authentication across multiple applications on a common domain
Documentation
At a glance, end-user authentication using Wonderwall is fairly straightforward:
- If the user does not have a valid local session with the sidecar, requests will be proxied to the upstream host as-is without modifications.
- In order to obtain a local session, the user must be redirected to the
/oauth2/loginendpoint, which will initiate the OpenID Connect Authorization Code Flow.- If the user successfully completed the login flow, the sidecar creates and stores a session. A corresponding session cookie is created and set before finally redirecting user agent to the application.
- All requests that are forwarded to the upstream host will now contain an
Authorizationheader with the user'saccess_tokenas a Bearer token, as long as the session is not expired or inactive.
- In order to log out, the user must be redirected to the
/oauth2/logoutendpoint.
Detailed documentation can be found in the documentation directory:
Running Locally
Requires Go 1.22
make run
Docker Compose
See the docker-compose file for an example setup:
- You need to be able to reach
host.docker.internalto reach the identity provider mock, so make sure you have127.0.0.1 host.docker.internalin your/etc/hostsfile. - By default, the setup will use the latest available pre-built image.
Run docker-compose up. This starts:
- Wonderwall (port 3000) with Redis as the session storage
- http-https-echo (port 4000) as the upstream server
- mock-oauth2-server as the identity provider
Try it out:
- Visit http://localhost:3000
- The response should be returned as-is from the upstream.
- The
authorizationheader should not be set.
- Visit http://localhost:3000/oauth2/login
- The
authorizationheader should now be set in the upstream response. - The response should also include the decoded JWT from said header.
- The
- Visit http://localhost:3000/oauth2/logout
- The
authorizationheader should no longer be set in the upstream response.
- The
Verifying the Wonderwall image and its contents
The image is signed "keylessly" using Sigstore cosign. To verify its authenticity run
cosign verify europe-north1-docker.pkg.dev/nais-io/nais/images/wonderwall@sha25:<shasum> \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity "https://github.com/nais/wonderwall/.github/workflows/deploy.yml@refs/heads/master"
The images are also attested with SBOMs in the CycloneDX format. You can verify these by running
cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/wonderwall/.github/workflows/deploy.yml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/wonderwall@sha25:<shasum>
Directories