Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How Ingress support JWT Authentication?

Tags:

jwt

kubernetes

kubernetes-ingress

nginx-ingress

Right now I'm using Ingress-Nginx as the routing service for the traffic externally. However, there are few articles introduce how Ingress plays JWT authentications to protect internal APIs. Can someone share some information about it?

like image 665
AI_ROBOT Avatar asked Oct 21 '19 21:10

AI_ROBOT

People also ask

How does authentication work with JWT?

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

Is JWT used for authorization or authentication?

Both API key and JWT are used for authentication and authorization, but they do it differently. Authentication allows the user or application to use one or more methods of the API. Authorization defines how they can use those methods.

How does an ingress work?

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.

1 Answers

As per research:

Different authenticating API calls were has merged in the form of OAuth 2.0 access tokens.

These are authentication credentials passed from client to API server, and typically carried as an HTTP header.

JSON Web Token (JWT) as defined by RFC 7519 is one of those.

As per docs:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

This mechanism can be applied using different ingress controllers like kubernetes nginx-ingress or nginxinc ingress controller.

As per nginx inc docs:

NGINX auth_request Module is used to Validate Tokens on behalf of backend sercvices.

Requests reach the backend services only when the client has presented a valid token Existing backend services can be protected with access tokens, without requiring code changes Only the NGINX instance (not every app) need be registered with the IdP Behavior is consistent for every error condition, including missing or invalid tokens

So for NGINX acting as a reverse proxy for one or more applications, we can use the auth_request module to trigger an API call to an IdP before proxying a request to the backend.

  • In the kubernetes ingress you can find information about External Authentication

To use an existing service that provides authentication the Ingress rule can be annotated with nginx.ingress.kubernetes.io/auth-url to indicate the URL where the HTTP request should be sent.

Here you can find working example nginx-subrequest-auth-jwt

This project implements a simple JWT validation endpoint meant to be used with NGINX's subrequest authentication, and specifically work well with the Kubernetes NGINX Ingress Controller external auth annotations

It validates a JWT token passed in the Authorization header against a configured public key, and further validates that the JWT contains appropriate claims.

This example is using PyJwt python library which allows you to encode and decode JSON Web Tokens (JWT)

Additional resource:

  • nginxinc controler
  • kubernetes on github JWT Authentication

Hope this help.

like image 147
Mark Avatar answered Oct 13 '22 06:10

Mark
Sign in to Comment

Related questions

Creating kubernetes cluster inside an existing VPC in AWS
ScheduledJobs on Google Container Engine (kubernetes)
Pulling private image from docker hub using minikube
How to scrape pod level info using prometheus kubernetes?
How can I connect to CockroachDB from outside the Kubernetes cluster?
Directories creation inside the Kubernetes Persistent Volume
kubernetes v1.7.1 kubeadm join hostname "" could not be reached error
Kubernetes - setting custom permissions/file ownership per volume (and not per pod)
Docker version supported in Kubernetes 1.9
Multiple clusters in kubernetes
Unable to validate Kubernetes cluster using Kops
Service mesh and Async services
Kubernetes Secret TLS Certificate P12 and Spring Boot Deployment doesn't work
Gcloud Kubernetes connection refused to exposed service
What is the right method for storing files in a microservice architecture?
What's the best way to get notified when kubernetes Deployments change using the k8s.io/client-go library?
What's the difference between Pod resources.limits and resources.requests in Kubernetes?
How to limit memory size for .net core application in pod of kubernetes?
What happens if a Kubernetes pod exceeds its cpu resources 'limit'?
Kubernetes - Pass Public IP of Load Balance as Environment Variable into Pod

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!