K
Q

How Ingress support JWT Authentication?

10/21/2019

Right now I'm using Ingress-Nginx as the routing service for the traffic externally. However, there are few articles introduce how Ingress plays JWT authentications to protect internal APIs. Can someone share some information about it?

-- AI_ROBOT
jwt
kubernetes
kubernetes-ingress
nginx-ingress

Similar Questions

Kubernetes and Spring Boot @Service load balancing
Multi-tenant microservice design with high memory usage in each tenant
How to apply transformer plugin after Ingress serviceName is updated?
Dynamically set values in Kubernetes yaml configuration files
ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN

1 Answer

10/22/2019

As per research:

Different authenticating API calls were has merged in the form of OAuth 2.0 access tokens.

These are authentication credentials passed from client to API server, and typically carried as an HTTP header.

JSON Web Token (JWT) as defined by RFC 7519 is one of those.

As per docs:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

This mechanism can be applied using different ingress controllers like kubernetes nginx-ingress or nginxinc ingress controller.

As per nginx inc docs:

NGINX auth_request Module is used to Validate Tokens on behalf of backend sercvices.

Requests reach the backend services only when the client has presented a valid token Existing backend services can be protected with access tokens, without requiring code changes Only the NGINX instance (not every app) need be registered with the IdP Behavior is consistent for every error condition, including missing or invalid tokens

So for NGINX acting as a reverse proxy for one or more applications, we can use the auth_request module to trigger an API call to an IdP before proxying a request to the backend.

To use an existing service that provides authentication the Ingress rule can be annotated with nginx.ingress.kubernetes.io/auth-url to indicate the URL where the HTTP request should be sent.

Here you can find working example nginx-subrequest-auth-jwt

This project implements a simple JWT validation endpoint meant to be used with NGINX's subrequest authentication, and specifically work well with the Kubernetes NGINX Ingress Controller external auth annotations

It validates a JWT token passed in the Authorization header against a configured public key, and further validates that the JWT contains appropriate claims.

This example is using PyJwt python library which allows you to encode and decode JSON Web Tokens (JWT)

Additional resource:

Hope this help.

-- Hanx
Source: StackOverflow