OIDC authorization code flow if the protected endpoint is placed somewhere else

[koplandipeter]

Hi everyone,
I use Emissary-Ingress as a proxy and it uses a dedicated service to authenticate and authorize the user before it forwards to request from the user to my internal services. The emissary sends a check request (https://github.com/emissary-ingress/emissary/blob/master/api/envoy/service/auth/v3/external_auth.proto) to the auth service, and depending on its response, decides that the user should be rejected or let them in.
I want to introduce the OIDC authorization code flow for some of the endpoints, but I'm not sure how to trigger the flow.
As I understand, I can't use the option described here https://quarkus.io/guides/security-oidc-code-flow-authentication#overview-of-the-oidc-authorization-code-flow-mechanism, because the endpoint is implemented somewhere else.
As I read, I can use the OidcClient (https://quarkus.io/guides/security-openid-connect-client-reference) directly if any reason I can't use the approach mentioned above. However, it is still not clear how to trigger the flow manually if I don't have the endpoint in place.

Any help would be appreciated.

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@koplandipeter Hi, if the endpoint which must be secured is implemented somewhere else then I can think of introducing a proxy which will interpose over that endpoint. This proxy will manage the authorization code flow itself and will propagate the access token to the target 3rd party endpoint.

This proxy is secured as shown in https://quarkus.io/guides/security-oidc-code-flow-authentication#overview-of-the-oidc-authorization-code-flow-mechanism and then you can propagate the access token as shown for example here:

https://quarkus.io/guides/security-openid-connect-providers#access-provider-services-with-token-propagation

Do you reckon it can work in your case ?

[koplandipeter]

Hi @sberyozkin,
Thanks for your help. Something similar can work. I can call a proxy you mentioned to manage the OIDC flow from my internal auth service. Only one thing is not clear to me. I have several endpoints that need to be protected. Depending on the request from the user, the redirect URL can be different. Is it possible to configure it before the OIDC flow is executed?

[sberyozkin]

@koplandipeter Sure, lets say you have to interpose/proxy with the OIDC web-app application over 2 external endpoints, with the local /a and /b endpoint methods respectively. By default, if you access /a the callback will be set to /a, and the same for /b. That should work for your case I believe.

[koplandipeter]

Hi @sberyozkin ,
Sorry for writing so late, but I wanted to implement a PoC with the proxy solution you mentioned. It works, so thank you very much for your help. I mark your answer.

[sberyozkin]

Good stuff, thanks @koplandipeter