Does Google support any OIDC proxy implementation ...

subhajit2022 · 10-17-2023 08:26 AM

Does Google offer any service which will function as a BFF to a SPA client? We have multiple microservices in Cloud Run and which are protected by APIGEE. But for authentication and authorization purpose we need and proxy based implementation which connect to CIDP and all the call to backend services to APIGEE goes through the proxy. The following features are needed-

Need to support users authenticated using customer-maintained directories (i.e. federated authentication)
Act as a service proxy to an OAuth or OIDC authentication server (e.g. Google's Identity Platform)
Do not share the access/refresh tokens with the client, but rather generate a secure cookie between this service and the SPA
Proxy API requests to services hosted on Google Cloud Run

christianpaula

Hi @subhajit2022,

Welcome to Google Cloud Community!

Google doesn't offer a single solution, but here's how to achieve your goals:

1. OIDC Proxy (Open-source options):

ORY Hydra or Keycloak deployed on Cloud Run for:
- OIDC proxy functionality
- Federated authentication with your CIDP
- Secure cookie generation for the SPA

2. API Gateway (APIGEE):

Keep using Apigee to manage and secure access to your Cloud Run microservices.

3. Integration:

Connect the OIDC proxy with Apigee and Cloud Run:
- Secure communication via tokens or mutual TLS
- SPA authenticates with the OIDC proxy and gets a cookie
- OIDC proxy forwards authorized requests to Apigee
- Apigee routes requests to Cloud Run microservices

Additional considerations:

Secure cookie management in the OIDC proxy.
Custom logic may be needed for authorization based on user claims or ACLs.

Does Google support any OIDC proxy implementation for Cloud Run?