Azure AD sidecar¶
The Azure AD sidecar is a reverse proxy that provides functionality to perform Azure AD login and logout for end-users.
The sidecar is only available in the Google Cloud Platform clusters.
The sidecar will occupy and use the ports
Ensure that you do not bind to these ports from your application as they will be overridden.
Minimal example below.
See the NAIS manifest reference for the complete specification.
The above example will provision a unique Azure AD application and enable a sidecar that uses said application.
For configuration of the Azure AD application itself, see the Configuration page.
Try out a basic user flow:
- Visit your application's login endpoint (
https://<ingress>/oauth2/login) to trigger a login.
- After logging in, you should be redirected back to your application.
- All further requests to your application should now have an
Authorizationheader with the user's access token as a Bearer token
- Visit your application's logout endpoint (
https://<ingress>/oauth2/logout) to trigger a logout.
- You will be redirected to Azure AD for logout, and then back to your application's ingress.
See Wonderwall for further usage details.
The sidecar attaches an
Authorization header with the user's
access_token as a Bearer token, as long as the user is authenticated.
It is your responsibility to validate the token before granting access to resources.
For any endpoint that requires authentication; deny access if the request does not contain a valid Bearer token.
The access token that Wonderwall provides should only be accepted and used by your application.
In order to access other applications, you should exchange the token in order to get a new token that is correctly scoped to access a given application.
For Azure AD, use the on-behalf-of grant to do this.