Ingress-Nginx: How to add attributes from introspection response to proxied request

9/20/2021

I am running a microservice based application, with a number of basic services and a Oauth token service using IdentityServer4. I would like to carry out token introspection with the identity service from the ingress controller directly, which I believe seems to be supported (https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) - and then check if the user is permitted access based on their role at the application layer in the various services.

I have valuable information in my introspection response that I want passed down to my different services (role, username, email etc) from my ingress controller after the introspection is complete. The documentation around using oauth in ingress-nginx is quite lacking. I am wondering if anyone is aware of if this is supported and if so how I go about implementing it.

-- FlanGorge
identityserver4
ingress-nginx
kubernetes
nginx
oauth-2.0

1 Answer

9/20/2021

I looked at the same thing recently for NGINX and Kong and came to this conclusion:

  • Use a generic ingress / load balancer first
  • Followed by a reverse proxy / API Gateway for certain routes
  • Followed by the actual back end API

You will be able to customize the second layer however you like, eg customize the nginx.conf file and add LUA plugins.

But the first layer tends to use its own nginx templates that are very different to the default ones. A new instance of the ingress template is spun up whenever you expose a new Kubermetes service. In effect an ingress is a different server role to a reverse proxy, and is not meant to be customised in the same way.

At Curity we do quite a bit of OAuth related work and I would recommend achieving your goals in the following manner:

  • Leave the ingress alone
  • Do the introspection in a reverse proxy layer after the ingress, so that you can add your introspection (and any other) logic via LUA scripting. OpenResty and Kong Open Source are both good choices.
  • We call this the phantom token pattern
  • Here is an example LUA Implementation that you can plug in - and note that result caching is an important part of the solution to ensure good performance
-- Gary Archer
Source: StackOverflow