如何使用Kubernetes Ingress处理Azure AD身份验证 [英] How to handle Azure AD Authentication with Kubernetes Ingress

问题描述

我有一个运行在Pod中的ASP.NET Core 2应用程序.

I have an ASP.NET Core 2 application running in a pod.

这没什么好看的.只是由Visual Studio创建的默认应用，启用了学校/工作帐户"身份验证.

It is nothing fancy. Just the default app created by Visual Studio, with "School/Work account"-authentication enabled.

我的入口指向/

- path: /
  backend:
    serviceName: debug-ui
    servicePort: 80

当我命中该终结点(/)时，我将被重定向到Azure AD登录.我进行身份验证，Azure AD重定向到/signin-oidc，这对于AD登录是正常的.到目前为止，一切都按预期进行.

When i hit that endpoint (/) i am being redirected to Azure AD login. I authenticate and Azure AD redirects to /signin-oidc which is normal for AD login. So far everything works as expected.

问题在于，入口使用"502-错误的网关"进行响应，可能是因为入口将/signin-oidc视为到另一个(不存在)服务的路由，但它应该是应用程序上的终结点，位于/本身.

The problem is that the ingress responds with a "502 - Bad gateway", probably because the ingress sees /signin-oidc as a route to another (non-existing) service, but it should have been an endpoint on the application at / itself.

在/运行的应用程序还具有/about和/contact-在禁用身份验证时可以正常工作

The application running at / also have /about and a /contact - which works fine when auth is disabled

/signin-oidc被称为带有身份验证令牌的HTTP POST. (JWT)

The /signin-oidc is called as HTTP POST with the authentication token. (JWT)

如何解决这个问题?

技术:

• Azure ACS上的Kubernetes
• nginx-ingress-controller
• Azure Active Directory
• .NET Core 2

推荐答案

使用Flask(而不是.NET)和AAD与nginx入口一起使用，如下所示:

Using Flask (instead of .NET) and AAD works with nginx ingress with something like below:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: flask-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: flask-auth
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: flask-app
          servicePort: 80
        path: /app(/|$)(.*)
---

这类似于:

AAD

example.com/app  
example.com/app/login  
example.com/app/other-logins-urls 

提供HTML模板

example.com/app/app-name

这篇关于如何使用Kubernetes Ingress处理Azure AD身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！