Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How Ingress support JWT Authentication?

Right now I'm using Ingress-Nginx as the routing service for the traffic externally. However, there are few articles introduce how Ingress plays JWT authentications to protect internal APIs. Can someone share some information about it?

like image 665
AI_ROBOT Avatar asked Oct 21 '19 21:10

AI_ROBOT


People also ask

How does authentication work with JWT?

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

Is JWT used for authorization or authentication?

Both API key and JWT are used for authentication and authorization, but they do it differently. Authentication allows the user or application to use one or more methods of the API. Authorization defines how they can use those methods.

How does an ingress work?

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.


1 Answers

As per research:

Different authenticating API calls were has merged in the form of OAuth 2.0 access tokens.

These are authentication credentials passed from client to API server, and typically carried as an HTTP header.

JSON Web Token (JWT) as defined by RFC 7519 is one of those.

As per docs:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

This mechanism can be applied using different ingress controllers like kubernetes nginx-ingress or nginxinc ingress controller.

As per nginx inc docs:

NGINX auth_request Module is used to Validate Tokens on behalf of backend sercvices.

Requests reach the backend services only when the client has presented a valid token Existing backend services can be protected with access tokens, without requiring code changes Only the NGINX instance (not every app) need be registered with the IdP Behavior is consistent for every error condition, including missing or invalid tokens

So for NGINX acting as a reverse proxy for one or more applications, we can use the auth_request module to trigger an API call to an IdP before proxying a request to the backend.

  • In the kubernetes ingress you can find information about External Authentication

To use an existing service that provides authentication the Ingress rule can be annotated with nginx.ingress.kubernetes.io/auth-url to indicate the URL where the HTTP request should be sent.

Here you can find working example nginx-subrequest-auth-jwt

This project implements a simple JWT validation endpoint meant to be used with NGINX's subrequest authentication, and specifically work well with the Kubernetes NGINX Ingress Controller external auth annotations

It validates a JWT token passed in the Authorization header against a configured public key, and further validates that the JWT contains appropriate claims.

This example is using PyJwt python library which allows you to encode and decode JSON Web Tokens (JWT)

Additional resource:

  • nginxinc controler
  • kubernetes on github JWT Authentication

Hope this help.

like image 147
Mark Avatar answered Oct 13 '22 06:10

Mark