Istio supports AuthZ and AuthN services, but is there a way to implement a token validation via a proxy?
Example: User/Client sends a request to Service-A, the request hits to istio-ingressGateway and Gateway validates the token via another service (Validation Service) if the token is valid user/client can get the user data if not send an error equivalent response.
You can write a micro-gateway service using Netflix Zuul which will be the landing service from your Istio Gateway. It can do quick token validation using Zuul filters and then forward the request to the desired service or return a token error response. You can use this service for issuing tokens and also hosting the JWK keys for JWT tokens.
I've written a Java implementation for the same.
Otherwise, you can use an internal Nginx server as a landing for all your request and then use http_auth_request_module to do a quick auth and then proxy forward to other services. You can find it on Nginx documentation.
Unfortunately, I didn't find anything as such provided by Istio as of now.
Posted community wiki answer for better visibility. As Tushar Mistry mentioned in the comments - problem is solved based on this article:
This was the second blog I found while searching oauth2-proxy with istio, he uses Envoy Filter for authorization, but latest istio provides external authorization Today I was successful in redirecting unauthorized request to oauth-proxy2 with istio external authorization, now facing problem after authentication says login failed CSRF token not found
and later:
Implemented this method sucessfully will share a blog if got time.
See also Better External Authorization.
Related
Is there any token introspection endpoint available in ADFS?
I am using the oauth2 configuration to get the token. I can verify the token in the resource server by jwks keys. I am able to check the validity of the token. but not the actual status. I was trying using the tutorial for checking the status. but I can't find the introspection endpoint.
This OAuth standard specifies that there will be one introspection endpoint.
I am not sure that https://adfs_domain/adfs/oauth2/token/introspect this URL is correct. but when I tried I got
Error details: MSIS7065: There are no registered protocol handlers on
path /adfs/oauth2/token/introspect to process the incoming request.
can anyone help?
No - this endpoint is not implemented.
You can see the list of available endpoints in the ADFS wizard / Services / Endpoints.
I want to implement an api gateway for a bunch of micro services running on laravel. In front of the gateway there is an angular client where the user has to login with the username and password. The idea is that the user sends the request with the credentials to the gateway which forwards it to the authentication service. If the data is correct, a token will be issued, which will be included in every further request.
I think I will implement the gateway with kong and the oauth2 plugin. I have already looked at their documentation https://docs.konghq.com/hub/kong-inc/oauth2/#resource-owner-password-credentials but I don't really understand the flow.
Does the angular client have to communicate directly with the authentication service on the first request? And if so, does the authentication service need an own url? I think it would make more sense if all the request would go through the gateway, wouldn't it?
Thank you!
From what I understood, your angular app can send username:password to kong gateway and that will proxy the request to your authentication service. You can verify if the user is legit in your auth service.
1) if legit, then make a request to /oauth2/token endpoint provided by kong's oauth2 plugin. Kong will return your auth service an access_token which you can return back to the user
2) If not legit then throw an error.
Does the angular client have to communicate directly with the authentication service on the first request?
Only if your auth service is a third party service you can do that.
I have a rest service which stores comments from the users in the database, my architecture is an angular fronted which connects to a load balancer server (zuul) which connects to an auth server to generate the jwt.
With the jwt the frontend generate the requests to the same zuul server with the jwt, this zuul server validate the jwt and if valid will connect to another backend service to store the comment.
The backend service where the comment is stored doesn't have any security validation all endpoints are accessible as the route of this microservices are not going to be exposed? Is there any risk on this?
As there is no jwt reaching the "comment backend service" how can I get the user that actually made the request? Should I implement some kind of filter in the zuul server to get the logged user from the jwt token and include the information in the request that is being sent to the "comment backend service"? If this is possible, any ideas on how to implement it?
Thanks
Regards
By default, Zuul considers the Authorization header as a sensitive header and it will not pass it downstream. So the first thing you need to do is to update Zuul configurations. Read the documentation here.
After that, in each of your downstream service, you need to add the capability to read the JWT token from the Authorization header and extract relevant information such as username, etc.
How API Gateway and Micro services works.
Could anyone explain the basic flow of Micro service architecture with Gateway. I couldn't find the proper answer.
Say we have auth server and customer micro service running on separate instances and in front of all the services we have an API gateway.
My question is.
when user try to log in using username and password, the API gateway call auth server and return the access token to user.
Then user trying to access the specific url (/customers - customer micro service) that is running on separate instance.
what API Gateway do ?
validate the token with auth server and get the user id and pass the request to customer service with the user id ?
OR
validate the token and pass the request to customer microservice with the access token ? and customer microservice responsible is to the check the user id (Make an HTTP call to auth server) ?
I think that the most common approach is to use API gateway also as a security gateway, which means that API gateway is responsible for SSL termination and token validation. If token validation is successfully you can put user ID or user API key as a header and forward the request to microservice. Moreover you may also decide to perform not only authentication but also authorisation on the API gateway (usually with help of API management solutions).
Regarding your option #2 - I see no point in validating token 2 times. Best practise is to perform security validations on the edge, because in case of failed validation you use less resources (reject earlier)
To Answer your question , it is close to option #2 that you have mentioned . The API gateway will generally check the validity of the authentication token and then pass over the request to your micro-service . However you need to decide at design time if your micro-service will also do another level of verification of the token.
Please do note that the API gateway will not be enforcing Authorization , the authorization is something that your micro-service will have to enforce.
i am currently building a security solution in spring cloud microservices.
when combining springs OAuth2 and Zuul implementation, it is quite easy to build an authenticationprocess like:
user calls the ui, which knows initially: user is not authenticated
redirect to auth server to ask the user for his login creds
redirects him back to the ui, providing a code or token.
I would prefer a flow with password authentication flow, in a way where the auth server is behind zuul
For example:
1.2.3.4:8080 is Zuul (with a UI with angularJS), domain "example.com"
1.2.3.5:9000 is the Auth Server
I could configure the zuul in a way, to access 1.2.3.5:9000 directly, passing form fields AND basic authentication to pass the client id.
since the auth server registers itself to eureka, I could also use "example.com/auth_server", which is the same, but managed through zuul. Alternatively I could also configure it manually....nevertheless:
Password authentication does not work, since Zuul is removing the basic authentication header from call....
at this point, I see I am doing something wrong...because the edge serve COULD have it's own security solution and tunneling the basic authentication to auth may be not the best way....but
HOW can I manage password authentication with ouath2 through zuul?
Please Help :)
By default "Cookie", "Set-Cookie", "Authorization" are marked as sensitive headers on a route and are not forwarded. Setting zuul.routes.myroute.sensitiveHeaders='' should allow you to pass those headers through, though I'm not sure it's the best idea.
The problem was a late working session in the evening :)
The component making the request didn't send the authorization since some updates which led to no headers ever reached the edge server.
Obviously, everything works as intended if basic or bearer authorization headers are passed over