Azure AD sidecar¶
This feature is only available in dev-gcp and prod-gcp.
A reverse proxy that provides functionality to handle Azure AD login and logout.
- Ensure that you first enable Azure AD for your application.
- Ensure that you define at least one ingress for your application.
- Ensure that you configure user access for your application. Users are not granted access by default.
The sidecar will occupy and use the ports
Ensure that you do not bind to these ports from your application as they will be overridden.
See the NAIS manifest for details.
See the Wonderwall appendix for usage details.
Secure your endpoints
Your application is responsible for securing its own endpoints.
- If a request does not contain an
Authorizationheader, the request should be considered unauthenticated and access should be denied.
- If a request has an
Authorizationheader that contains a JWT, the token must be validated before access is granted.
Your application should validate the claims and signature
for the JWT Bearer
access_token attached by the sidecar in the
aud (audience) claim must be equal to your application's client ID in Azure AD.
The access token that Wonderwall provides should only be accepted and used by your application.
In order to access other applications, you should exchange the token in order to get a new token that is correctly scoped to access a given application.
For Azure AD, use the on-behalf-of grant to do this.