I am running a microservice based application, with a number of basic services and a Oauth token service using IdentityServer4. I would like to carry out token introspection with the identity service from the ingress controller directly, which I believe seems to be supported (https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) - and then check if the user is permitted access based on their role at the application layer in the various services.
I have valuable information in my introspection response that I want passed down to my different services (role, username, email etc) from my ingress controller after the introspection is complete. The documentation around using oauth in ingress-nginx is quite lacking. I am wondering if anyone is aware of if this is supported and if so how I go about implementing it.
I looked at the same thing recently for NGINX and Kong and came to this conclusion:
You will be able to customize the second layer however you like, eg customize the nginx.conf file and add LUA plugins.
But the first layer tends to use its own nginx templates that are very different to the default ones. A new instance of the ingress template is spun up whenever you expose a new Kubermetes service. In effect an ingress is a different server role to a reverse proxy, and is not meant to be customised in the same way.
At Curity we do quite a bit of OAuth related work and I would recommend achieving your goals in the following manner: