Identity Server 4 On Kubernetes Nginx Ingress
Ever tried deploying Identity Server 4 on a k8s (Kubernetes) setup with Nginx ingress?
If you tried, I’m sure you’ve encountered some problems, as the current Nginx ingress is not properly configured for ASP.Net project or does not contain better optimization for Identity Server 4.
Come on join me as we dive into the configurations!
Prerequisites
First of all, you must have a Kubernetes on your machine. Second, must have existing test bed project for Identity Server 4.
If you don’t have Kubernetes, perhaps you could try installing MicroK8s. The MicroK8s works on windows and MacOS.
So where do we start?
First, we modify the ingress ConfigMap
configuration, and add the following lines:
This specific modifications allows Identity Server 4 to send and receive large header data which is needed to store and sort out JWT (JSON Web Token) identifiers. You can check this sample setup on my test ingress config map YAML (Yet Another Markup Language):
Next, thing we do is adjust our code to forward headers from and to ingress-app. The other method calls are also recommended by docs from Microsoft, you can check the setup here.
The docs specified the known networks / proxies are needed if you are hosting C# apps in non-windows hosting environment.
After adding a forward headers configuration onto our ConfigureService
method. We also need to add the forward headers middleware on the Configure
method, can also be found in Startup.cs
file.
Then after that, restart the Nginx ingress and also your app to test whether everything is working fine. The next change is optional if you are using TLS.
If your ingress setup is TLS terminated. You also need to add this on your Configure
method.
This specific custom middleware specifically converts all incoming calls to secured HTTP scheme. The TLS ingress specifically does is redirect the calls from your RS (Resource Server) to AS (Authorization Server) which is Identity Server 4 but TLS needs consistent HTTP secured scheme. If you look into your openid-configuration
it will return http://
only endpoints and that is the problem, and that’s why we are modifying it internally using a custom middleware.
After all is done, restart the service and test every knick and knacks.
That’s all guys!
Conclusion
It’s not just a simple clone image and deploy setup in k8s especially if you’re trying to deploy a c# app, sometimes you need to optimize some config in order for it to run smoothly /and or work well. Check the recommended deployment guide in Microsoft docs.
Let me know in the comments if you have questions or queries, you can also DM me directly.
Follow me for similar article, tips, and tricks ❤.
- IdentityServer is an OpenID Connect provider — it implements the OpenID Connect and OAuth 2.0 protocols.
- Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management.
- Nginx (pronounced “engine X”, /ˌɛndʒɪnˈɛks/ EN-jin-EKS), stylized as NGINX, nginx or NginX, is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
- Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.