In modern applications, authentication is a critical component, especially when integrating multiple identity providers. Many enterprises use OAuth-based authentication solutions like Okta, while developers often rely on Firebase Authentication for easy user management. Integrating both in a Kubernetes environment requires a seamless bridge—this is where OAuth2 Proxy comes in.
This guide walks through how to set up hybrid authentication, allowing Firebase Auth to work alongside Okta using OAuth2 Proxy. We’ll configure authentication flows, deploy services in Kubernetes, and ensure secure user access.
1. Understanding the Components
1.1 Firebase Authentication and Okta
Firebase Authentication simplifies user sign-ins with email, phone, or social logins. However, enterprises typically use identity providers like Okta, which provides single sign-on (SSO) and multi-factor authentication. To unify authentication, we need to make Firebase recognize users authenticated via Okta.
1.2 The Role of OAuth2 Proxy
OAuth2 Proxy acts as an authentication gateway. It intercepts requests to your application and ensures users are authenticated via an OAuth provider before granting access. By integrating OAuth2 Proxy with Okta, we can authenticate users at the gateway level before forwarding their identity to Firebase.
2. Setting Up the Integration
2.1 Configuring Okta as an Identity Provider
To start, create an application in Okta and configure it to use OpenID Connect (OIDC). This generates a Client ID and Client Secret, which OAuth2 Proxy will use to authenticate users. The OIDC issuer URL, typically in the format https://YOUR_OKTA_DOMAIN/oauth2/default, will be needed later.
2.2 Deploying OAuth2 Proxy in Kubernetes
Once Okta is set up, deploy OAuth2 Proxy in your Kubernetes cluster. This proxy will handle authentication requests and forward validated users to your backend services. Below is an example of a Kubernetes deployment configuration:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | apiVersion: apps/v1kind: Deploymentmetadata: name: oauth2-proxyspec: replicas: 1 selector: matchLabels: app: oauth2-proxy template: metadata: labels: app: oauth2-proxy spec: containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0 args: - --provider=oidc - --oidc-issuer-url=https://YOUR_OKTA_DOMAIN/oauth2/default - --client-id=YOUR_OKTA_CLIENT_ID - --client-secret=YOUR_OKTA_CLIENT_SECRET - --cookie-secret=YOUR_COOKIE_SECRET - --upstream=http://localhost:8080/ |
This configuration tells OAuth2 Proxy to authenticate users against Okta. The --upstream flag specifies the backend service that OAuth2 Proxy will route authenticated requests to.
2.3 Exposing OAuth2 Proxy with Kubernetes Ingress
To make OAuth2 Proxy accessible, configure an Ingress resource. This allows external traffic to reach your services while ensuring only authenticated users pass through. A simple NGINX Ingress setup might look like this:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 | apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: oauth2-proxy annotations:spec: rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: my-backend port: number: 80 |
Now, when users visit myapp.example.com, they are redirected to Okta for authentication. Upon successful login, OAuth2 Proxy forwards the request to your backend.
3. Integrating Firebase Authentication
Since Firebase doesn’t natively support Okta authentication, we need a mechanism to exchange Okta tokens for Firebase tokens. This is done using the Firebase Admin SDK.
3.1 Creating Firebase Custom Tokens
Once OAuth2 Proxy validates a user, your backend service can request Firebase to generate a custom authentication token. Here’s how you might do it in Node.js using the Firebase Admin SDK:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 | const admin = require('firebase-admin');admin.initializeApp({ credential: admin.credential.applicationDefault(),});async function exchangeOktaToken(oktaToken) { // Validate Okta token (you may need to fetch user info from Okta) const userId = extractUserIdFromOktaToken(oktaToken); // Create a Firebase custom token for the authenticated user const firebaseToken = await admin.auth().createCustomToken(userId); return firebaseToken;} |
This allows a user who signed in with Okta to access Firebase services as if they had authenticated with Firebase directly.
4. Final Thoughts
By combining Firebase Authentication, Okta, and OAuth2 Proxy, you create a flexible and secure authentication solution. Users can sign in using Okta, while your application still benefits from Firebase’s authentication features. OAuth2 Proxy ensures all requests are properly authenticated before reaching your backend.
4.1 Further Reading
- Firebase Authentication Documentation
- Okta Developer Guide
- OAuth2 Proxy GitHub
- Kubernetes Ingress Documentation
