The implementation of an effective authentication strategy is vital to any application’s security solution, as is it a key part of determining a user’s identity, and stopping bad actors from masquerading as others, particularly within parts of your system that access sensitive data.

Typically with web applications the authentication is implemented at the edge, either via an API/edge gateway like Ambassador or Envoy, or via a top-level request filter within your application framework. It is also increasingly common for applications to use external identity providers (IdPs) — such as Google, GitHub, or Facebook — typically via an identity hub like Auth0, Keycloak or Okta that provides authentication-as-a-service, rather than taking on the high cost (and risk) of maintaining their own identity database.

There are a lot of acronyms and terminology that can make this appear overly complicated, and so this post attempts to provide several pointers for using Ambassador Pro with an identity hub.

How Ambassador Integrates with OAuth and OIDC

A lot of people are starting to implement authentication at the edge using Ambassador Pro and an identity hub like Auth0 or Keycloak, and so we’ve recently updated the docs.

In the Ambassador documentation, we’ve defined in detail (and related to Ambassador) all of authentication the terms that we frequently get questions about, such as:

At a high level, here is the flow of the interactions between a user, Ambassador Pro (powered by Envoy), an IdP, and your Kubernetes services:

OAuth flow with Ambassador, an identity hub, and Kubernetes services

Learn More With the Ambassador and Auth0 Tutorial

You can learn more about implementing Single Sign-On with OAuth & OIDC in the Ambassador Pro tutorial, which also contains a full walkthrough of how to configure Ambassador Pro with Auth0. Or checkout the general overview on the topic in the Concepts guide of the Ambassador docs.

As usual, you can ask any questions you may have via Twitter (@getambassadorio), Slack or raise issues via GitHub.