Azure AD sidecar

Availability

This feature is only available in dev-gcp and prod-gcp.

Description

A reverse proxy that provides functionality to handle Azure AD login and logout.

Prerequisites

• Ensure that you first enable Azure AD for your application.
• Ensure that you define at least one ingress for your application.
• Ensure that you configure user access for your application. Users are not granted access by default.

Spec

Port Configuration

The sidecar will occupy and use the ports 7564 and 7565.

Ensure that you do not bind to these ports from your application as they will be overridden.

nais.yaml

spec:
  azure:
    application:
      enabled: true
    sidecar:
      enabled: true

      # everything below is optional, defaults shown
      autoLogin: false

See the NAIS manifest for details.

Usage

Tip

See the Wonderwall appendix for usage details.

Token Validation

Secure your endpoints

Your application is responsible for securing its own endpoints.

• If a request does not contain an Authorization header, the request should be considered unauthenticated and access should be denied.
• If a request has an Authorization header that contains a JWT, the token must be validated before access is granted.

Your application should validate the claims and signature for the JWT Bearer access_token attached by the sidecar in the Authorization header.

The aud (audience) claim must be equal to your application's client ID in Azure AD.

Next Steps

The access token that Wonderwall provides should only be accepted and used by your application.

In order to access other applications, you should exchange the token in order to get a new token that is correctly scoped to access a given application.

For Azure AD, use the on-behalf-of grant to do this.

---

Last update: 2023-03-28
Created: 2021-08-25