Azure AD sidecar¶
Status: Beta
This feature is only available in the GCP clusters.
Experimental: this is a new feature. Use it in production, but be aware that bugs might arise.
Report any issues to the #nais channel on Slack.
Description¶
A reverse proxy that provides functionality to handle Azure AD login and logout.
Prerequisites
- Ensure that you first enable Azure AD for your application.
- Ensure that you also define at least one ingress for your application.
Spec¶
Port Configuration
The sidecar will occupy and use the ports 7564
and 7565
.
Ensure that you do not bind to these ports from your application as they will be overridden.
spec:
azure:
sidecar:
enabled: true
# everything below is optional, defaults shown
autoLogin: false
errorPath: ""
See the NAIS manifest for details.
Usage¶
Tip
See the Wonderwall appendix for usage details.
Token Validation¶
Danger
Your application should secure its own endpoints. That is, deny access to sensitive endpoints if the appropriate authentication is not supplied.
Your application should also validate the claims and signature for the Azure AD JWT access_token
attached by the sidecar.
The aud
(audience) claim must be equal to your application's client ID in Azure AD.