Azure AD sidecar

Status: Beta

This feature is only available in the GCP clusters, except labs-gcp.

Experimental: this is a new feature. Use it in production, but be aware that bugs might arise.

Report any issues to the #nais channel on Slack.

Description

A reverse proxy that provides functionality to handle Azure AD login and logout.

Prerequisites

• Ensure that you first enable Azure AD for your application.
• Ensure that you also define at least one ingress for your application.

Spec

Port Configuration

The sidecar will occupy and use the ports 7564 and 7565.

Ensure that you do not bind to these ports from your application as they will be overridden.

nais.yaml

spec:
  azure:
    application:
      enabled: true
    sidecar:
      enabled: true

      # everything below is optional, defaults shown
      autoLogin: false
      errorPath: ""

See the NAIS manifest for details.

Usage

Tip

See the Wonderwall appendix for usage details.

Token Validation

Danger

Your application should secure its own endpoints. That is, deny access to sensitive endpoints if the appropriate authentication is not supplied.

Your application should also validate the claims and signature for the Azure AD JWT access_token attached by the sidecar.

The aud (audience) claim must be equal to your application's client ID in Azure AD.

---

Last update: 2022-07-04
Created: 2021-08-25