Show HN: Single Sign-On (SSO) for OpenFaaS with Okta and OpenID Connect


September 16, 2020






Bring project authentication and Single Signal-on (SSO) to OpenFaaS with Okta and OpenID Connect

Endeavor authentication

OpenID Connect is a on daily basis customary that builds upon OAuth2 to enable authentication to companies and products and applications. Solutions fancy Okta may maybe maybe well most seemingly furthermore honest furthermore be frail to enable Single Signal-On right through a chain of third-celebration and in-dwelling applications. This reduces the burden on IT directors – fewer requests to reset passwords, fewer staff will fragment credentials and policy can enforced in a single home.

In this tutorial, I’ll abet you to setup Okta and OpenFaaS with the OIDC / OAuth2 authentication module. The OIDC auth module for OpenFaaS is a industrial add-on integrated in our OpenFaaS Top rate Subscription.

While you happen to don’t comprise an active OpenFaaS Top rate Subscription, then you may maybe maybe well deserve to educate for a trial key here: Apply for a 14-day trial.

Tutorial overview

  • Originate a developer legend with Okta
  • Register a web web page or DNS sub-zone
  • Originate an App in Okta
  • Find OIDC URLS, IDs and credentials
  • Setup OpenFaaS with TLS, Ingress and the authentication module
  • Configure your DNS
  • Take a look at out logging into OpenFaaS with Okta

Originate a developer legend with Okta

Head over to and develop a developer legend.

Register a web web page or DNS sub-zone

You’re going to deserve to register a web web page, or to setup a sub-zone in case you already have a web web page.

I’ll be the utilization of the zone .oauth.openfaas.apt and then in conjunction with two entries later on in a later step.

Google Domains provide a imprint-fantastic option.

Originate an App in Okta

We can comprise two URLs for OpenFaaS:

  • gw.oauth.openfaas.apt – the OpenFaaS gateway
  • auth.oauth.openfaas.apt – the OpenFaaS OIDC connector

You’re going to exhibit that we are the utilization of the 2nd area here: auth.oauth.openfaas.apt

A sound redirect area of 31111/oauth/callback is furthermore required in case you intend to exercise the faas-cli to authenticate to OpenFaaS.

Create the app

Find OIDC URLs, IDs and credentials

Find your diverse URLs, IDs and credentials

Get the client_id and secret values:

Get the app secrets

I was assigned a random area of dev-624219, the corresponding URLs may maybe be

export authServerId=default

curl -s https://${yourOktaDomain}/oauth2/${authServerId}/.eminent/openid-configuration

While you happen to pipe the consequence to jq, or attach it as JSON and format it, you’ll explore the predominant URLs that OpenFaaS needs:

  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "userinfo_endpoint": "",
  "registration_endpoint": "",
  "jwks_uri": ""

It is top to restful region the cookieDomain to the area or DNS-zone that used to be created.

Maintain out the following and attach it as, nonetheless originate now not lunge it but.

export PROVIDER=""              # Space this to "azure" if the utilization of Azure AD.
export LICENSE=""
export ROOT_DOMAIN="oauth.openfaas.apt"
export yourOktaDomain=$

arkade install openfaas 
  --region oauth2Plugin.enabled=loyal 
  --region oauth2Plugin.provider=$PROVIDER 
  --region oauth2Plugin.license=$LICENSE 
  --region oauth2Plugin.insecureTLS=false 
  --region oauth2Plugin.scopes="openid profile email" 
  --region oauth2Plugin.jwksURL=https://$yourOktaDomain/oauth2/default/v1/keys 
  --region oauth2Plugin.tokenURL=https://$yourOktaDomain/oauth2/default/v1/token 
  --region audience=https://gw.$ROOT_DOMAIN 
  --region oauth2Plugin.authorizeURL=https://$yourOktaDomain/oauth2/default/v1/authorize 
  --region oauth2Plugin.welcomePageURL=https://gw.$ROOT_DOMAIN 
  --region oauth2Plugin.cookieDomain=.$ROOT_DOMAIN 
  --region oauth2Plugin.baseHost=https://auth.$ROOT_DOMAIN 
  --region oauth2Plugin.clientSecret=$OAUTH_CLIENT_SECRET 
  --region oauth2Plugin.clientID=$OAUTH_CLIENT_ID

While you happen to’re the utilization of a GitOps machine or helm to put in OpenFaaS, then the above alternate strategies may maybe maybe well most seemingly furthermore honest furthermore be written into your values.yaml file as a replacement. The clientSecret is a confidential rate, so don’t commit this to a public repo.

As an illustration:

  enabled:  loyal

Setup OpenFaaS with TLS, Ingress and the auth plugin

Sooner than working the script, you’ll either want a public Kubernetes cluster, or a internal most/on-premises cluster the utilization of inlets PRO to supply a LoadBalancer with a public IP.

Set up an IngressController in case you don’t comprise already acquired one:

arkade install ingress-nginx

Set up cert-manager in case you don’t comprise already acquired it:

arkade install cert-manager

Set up OpenFaaS the utilization of Existing that in case you’ve got acquired a setting imperfect, you may maybe edit and lunge all of it over again at any time.

Originate a TLS and Ingress file for the gateway:

arkade install openfaas-ingress 
 --email alex@oauth.openfaas.apt 
 --area gw.oauth.openfaas.apt

We need one more Ingress file for the OIDC provider, nonetheless arkade can’t originate that for us but.

Export the gateway’s YAML file, edit the area and identify and educate all of it over again:

kubectl catch -n openfaas ingress/openfaas-gateway -o yaml 
  --export > oauth2-plugin.yaml

Edit oauth2-plugin.yaml

Commerce the identify from openfaas-gateway to oauth2-plugin, area to auth.oauth.openfaas.apt, the host to oidc, and the secretName to oauth2-plugin.

Alternatively exercise sed:

sed -ie s/openfaas-gateway/oauth2-plugin/g oauth2-plugin.yaml
sed -ie s/gw./auth./g oauth2-plugin.yaml
sed -ie s/gateway/oauth2-plugin/g oauth2-plugin.yaml

Apply the changed file, forcing the namespace to openfaas:

kubectl educate -f oauth2-plugin -n openfaas

Configure your DNS

Your TLS certs can’t be issued till you develop some DNS records.

Bustle the following:

kubectl catch svc ingress-nginx-controller

While you happen to’ve got an IP take care of exhibiting below EXTERNAL-IP, then develop two A records for the two subdomains. While you happen to explore a DNS file, as per AWS EKS, then develop a CNAME for them as a replacement.

  • gw.oauth.openfaas.apt
  • auth.oauth.openfaas.apt

Check that the DNS entries comprise propagated the utilization of ping -c 1 gw.oauth.openfaas.apt

In a couple of moments it is top to restful explore both certificates created:

kubectl catch cert -n openfaas

While you happen to suspect there’s a area, lunge kubectl philosophize -n openfaas repeat

Take a look at out logging into OpenFaaS with Okta

We now comprise configured a Kubernetes cluster with an IngressController, cert-manager and OpenFaaS with the OIDC auth add-on. It’s time to evaluate out logging in.

Head over to the gateway’s UI in a browser:


Existing: While you happen to’re seeing a certificates error and the “Kubernetes Ingress Controller Wrong Certificates” CA, then you comprise to breeze abet to the old step and double-evaluate the entirety. Even though the DNS configuration is appropriate, it will lift a couple of minutes for the certificates to be issued.

You will want to be redirected to your Okta developer area, where you may maybe maybe well be asked to log in with the particular person in Okta.

Log in

Survey the portal:


It is in all probability you’ll maybe well be ready to furthermore log into OpenFaaS the utilization of the CLI for exercise for your laptop laptop the utilization of the faas-cli auth tell to develop and store a token.

export CLIENT_ID="0oazbx89opTdXdOql4x6"
faas-cli auth 
  --client-identity $CLIENT_ID 
  --gateway https://gw.oauth.openfaas.apt 
  --grant implicit-identity

Existing: some OIDC suppliers fancy Azure Energetic Directory require “localhost” in home of to be given for this waft. It is in all probability you’ll maybe well be ready to give --redirect-host=localhost when the utilization of Azure.

Starting native token server on port 31111

credentials saved for https://gw.oauth.openfaas.apt

Instance utilization:
  # Spend an explicit token
  faas-cli checklist --gateway "https://gw.oauth.openfaas.apt" --token "REDACTED"

  # Spend the saved token
  faas-cli checklist --gateway "https://gw.oauth.openfaas.apt"

Then you definately can exercise faas-cli from your machine the utilization of the token:

faas-cli checklist --gateway "https://gw.oauth.openfaas.apt"
Operate                      	Invocations    	Replicas
nodeinfo                      	0              	1    

Can comprise to you comprise to exercise a token from CI, we provide instructions for the clients_credentials waft in the OpenFaaS documentation (referenced in the abstract).

Now you may maybe invite your team and co-staff to collaborate with you and catch serverless functions.

Spend the User panel to add fresh users to Okta, or in the occasion that they’re already on your Okta legend, setup a brand fresh OpenFaaS Neighborhood and add them to that.

Adding a new user

Wrapping up

In a somewhat short time period, we’ve been ready to authenticate to OpenFaaS the utilization of Okta and a single login. Any OIDC provider must restful work and I’ve tested the code with GitLab, Auth0 and GitLab up to now. From here, it’s easy to add other users to the OpenFaaS app, and to ship them an invite over email to be half of.

What about authorization?

This day the authorization fragment is restful dinky. Any legit users who’re in the supreme community for the OpenFaaS App in Okta may maybe be directors in OpenFaaS. So even as they won’t comprise kubectl access, they would be ready to keep CRUD operations on functions the utilization of faas-cli, the UI and the REST API.

OpenFaaS has plenty of-namespace pork up, and in conjunction with authorization is within sights. Enact it is top to breeze making an strive authorization on a per namespace basis? Enact you want it per feature? Would learn-supreme roles be a treasured addition?

More than likely appropriate in conjunction with OpenID Connect with Okta, Auth0, or GitLab to your corporate OpenFaaS deployment is enough, and even you want finer-grained authorization. I’d resolve to hear from you.

It is in all probability you’ll maybe well be ready to contact me at

Anticipate furthermore:

Read More

Leave A Reply

Your email address will not be published.