Is it possible to use spring cloud oauth 2 server with kubernetes api gateway ingress.
I have used it with zuul to authenticate user before making a call. Can I do similar with ingress?
Edit 1:
To explain it more clearly, what I am trying to achieve
I am using token based oAuth2 implementation given by the spring cloud.
oauth is running as one of the service behind the zuul.
zuul has routes mapped for the oauth server and resource server
client call the auth server via zuul and gets the token.
client call resource server via zuul with token passed
zuul is configured to validate the token before making a call to resource server.
In this way we can stop any downstream traffic to go without a valid token.
can we do token validation in ingress with auth server running with in a cluster?
I have not used Spring Cloud OAuth 2 but as OAuth is a standard I believe you can set it up if you are using Nginx Ingress as the ingress controller, you can specify and external Oauth Provider (As OAuth generally has the same flow) like this on your ingress:
...
metadata:
name: application
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
...
You can find more information here with an example of using GitHub as an OAuth provider
There are currently three different nginx-ingress-controllers (see here), which differ in functionality. I believe that none of these ingress controllers themselves can perform an oauth token introspection. However, requests can be routed to the authorization server's introspection interface using the auth_request module.
Specifically for your case, you can use the auth-url annotation (see) in the ingress controller to direct the requests to the introspection interface of the spring cloud oauth2 server (see). The introspection interface is available under /oaut/check_token by default when #EnableAuthorizationServer is used. If the introspection interface returns a 2XX, the ingress will forward the request. This functionality is based on the auth_request module, which expects a 2xx response code from the external service if the access is allowed and 401 or 403 if denied.
If you use JWTs and want to validate the request by only checking the signature, this can in some cases actually be done by the ingress itself. To my knowledge, only the nginx plus ingress controller (paid) can validate JWTs. But there is also the nginx-based kong-ingress controller, which you can equip with pulgins (see here). There is e.g. promoted with oauth2 integration and JWT validation.
Did you find out more than me?
Related
So I'm migrating some Spring Boot microservices from Kubernetes to OpenShift. Below is the simplified situation:
Service 1: Spring Boot application that handles, exposes 2 endpoints (login and authenticate). The authenticate service accepts the Authorization header containing a JWT token and validates that token. It returns 400 if the token doesn't exist and 403 is the user isn't authorized or the token is invalid and 200 if everything is valid.
Service 2: Spring Boot for some business service, exposes many endpoints and contains the annotation below in the Kubernetes Ingress so that all traffic is routed to the Service 1 for authentication before actually reaching Service 2
nginx.ingress.kubernetes.io/auth-url: "http://service1/authenticate?url=$request_uri&method=$request_method"
The problem is that when I migrated to OpenShift, all applications are working fine but the annotation that should route traffic to Service 1 doesn't seem to be working, since the authenticate service is never called.
I have searched the OpenShift documentation for days with no success, so any help would be much appreciated.
Probably this could help https://docs.openshift.com/container-platform/4.5/serverless/networking/serverless-ossm-jwt.html, Openshift ServiceMesh include Istio. Here is how to configure Istio JWT https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/. So there you could configure the Service 1 authenticate.
I am new to spring microservice world. As I am in learning phase, I tried and implemented the following things.
Authentication/Authorization as a separate microservice
Routing (Able to route using Spring cloud gateway)
Load balancing (Netflix Eureka)
Rate Limit and Circuit Breaker (Resilience4j)
I just need certain clarification and suggestion on what to do in these situations:
As I already had created Authentication/Authorization as a separate microservice centralized.
Now how can I implement such that every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice
If some has same good source so that I can learn please do share or if someone has a basic skeleton on GitHub.
Requests from outside your cluster should be intercepted/validated by Zuul (example) will be your gatekeeper which will pass the request to the request checker in this case would be your authentication service where the acquired token will be validated (this should exists at the header of the request). One tokens are validated, the request will be routed to the authorization service to check if the user has access to particular endpoint based on your rules defined for access.
I'm developing a back-end with microservices architecture. I'm new about that architecture and for now I have developed 3 microservices (RESTful web services, with Spring Boot) each in a container.
I want to implement OAuth2 and JWT Rest Protection and a gateway.
Is it correct to implement a gateway with Authorization Server and Resource Server?
Am I doing something wrong about the architecture?
Thanks for the replies
As per the standard, should not mix gateway with authorization because both the purposes are different.
Gateway
Gateway can be differentiated in two ways - Internal and External. Purpose of gateway is to route the call from external or internal to the protected resource.
Authorization Server
Authorization server comes into the picture for identity access management. All the request coming from external or internal via gateway should be authenticated or authorized before routing call to the protected resource with JWT or access token etc.
https://medium.com/swlh/authentication-and-authorization-in-microservices-how-to-implement-it-5d01ed683d6f
Authentication and Authorization - There should be a separate service that authentication the user (like supporting OAuth0 type of protocol and providing JWT Token). Your frontend should call API Gateway.
Now question comes at what granular level you are maintaining permissions - Only small set of roles or granular level of permission set. Now API Gateway should communicate with Authorization server with JWT and get the set of roles and permission. Based on the same, API gateway should forward or block the call to Microservice.
Even if you have small set of roles and JWT can be extracted and validated by Gateway but avoid to keep the same at Gateway as there are chances that you have to extract the functionality to some other service in near future.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.
I want to use Keycloak in a microservices based environment, where authentication is based on OpenID endpoints REST calls ("/token", no redirection to keycloak login page), a flow that I thought of would be something like this:
1. Front-end SPA retrieves the tokens from the "/token" endpoint and stores in browser's localStorage, then sends it with every request.
2. Gateway-level authentication: Acess Token is passed from the front end to the gateway, gateway consults Keycloak server to check if the token is still valid (not invalidated by a logout end-point call).
3. Micro-service based authorization: Acess Token is passed from the Gateway to the microservices, using Spring Boot adapter the microservices check the signature of the token offline (bearer-only client?) then based on the role in the token do the authorization.
My questions are: Does this flow make sense or can you suggest another flow? What type of Keycloak clients to use? What's an ideal way to pass Tokens using Spring Boot Adapter, and should it be done like that in the first place? Please keep in mind that I am not a Keycloak expert, I've done my research but I still have doubts.
Your Front-end SPA should be public-client and springboot micro service should be Bearer only Client and Gateway could be Confidential Client.
You can check the Keycloak provided oidc adapters. For springboot you use the keycloak provided adapter
Similar solution using api gateway is discussed here