Kusk Gateway Support for JWT #402

jasmingacic · 2022-05-12T12:50:30Z

No description provided.

aabedraba · 2022-09-30T07:54:22Z

We should investigate for either JWT or API Keys. Let's have a discussion about it soon.

jasmingacic · 2022-09-30T08:02:30Z

API Keys are already handled by header auth JWT is something esle.

@mbana do you agree?

aabedraba · 2022-09-30T08:42:53Z

We should really rename "Header auth" to "Custom Auth Upstream" or something of that sorts, because that really reflects what it is.

But in any case, it is possible to achieve now API Keys through custom upstream... In fact even JWT would be possible to achieve with the same method...

I was thinking we should have a dedicated auth policy for both JWT and API Keys. Question is which one is first.

jasmingacic · 2022-10-08T00:35:54Z

Refreshing this issue and putting it in our scope.

Essentially we'd have to do something similar to this:

x-kusk:
  auth:
    jwt: 
        providers:
          provider1:
            issuer: https://provider1.com
            local_jwks:
              inline_string: PUBLIC-KEY
          provider2:
          issuer: https://provider2.com
          local_jwks:
              inline_string: PUBLIC-KEY
        rules:
        - match:
            prefix: /any
          requires:
            requires_any:
              requirements:
              - provider_name: provider1
              - provider_name: provider2
        - match:
            prefix: /all
          requires:
            requires_all:
              requirements:
              - provider_name: provider1
              - provider_name: provider2
       
...

We should adhere how it is done in envoy see below
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter#config-http-filters-jwt-authn

The easy thing is that JWT implementation is very granular and is handled by "prefix" filter.

jasmingacic · 2022-10-14T10:12:07Z

Thinking of this we should maybe do something like

x-kusk:
  auth:
    jwt: 
        providers:
          provider1:
            issuer: https://provider1.com
            local_jwks:
              inline_string: PUBLIC-KEY
          provider2:
          issuer: https://provider2.com
          local_jwks:
              inline_string: PUBLIC-KEY

    paths:
      /hello:
     x-kusk:
         jwt:
          rules: | # logical OR  in Envoy terms this would match requires_any
             - provider1 
                provider2
# alternatively for logical AND or in Envoy requires_all 
              - provider1
              - provider2 
              -

mbana · 2022-10-14T13:24:52Z

Worthy of mention: https://docs.mia-platform.eu/docs/development_suite/api-console/advanced-section/api-gateway-envoy/jwt-authn.

What do you think?

jasmingacic · 2022-10-14T14:19:11Z

Let's take inspiration from anywhere.

This is an important feature needed to enable another user.

See: <#402>. Change `kubeshop/kusk-gateway` to `v1.3.21`: ``` $ pwd kusk-gateway/cmd/kusk $ VERSION=v1.3.21 make build ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>

aabedraba · 2022-11-08T11:03:01Z

openapi: 3.1.0
info:
  title: My API
  version: 1.0.0
x-kusk:
  auth: 
    jwt: 
      issuer: https://my-issuer.com # required 
      
      jwks: https://my-issuer.com/.well-known/jwks.json
      # either/or
      jwks_config_ref: 
        name: my-secret
        namespace: jwks

      audience: my-audience #optional
paths:
  /:
    x-kusk:
      auth: 
        jwt: 
          issuer: https://my-issuer.com
          jwks: https://my-issuer.com/.well-known/jwks.json
    get:
      x-kusk:
        auth: 
          jwt: 
            issuer: https://my-issuer.com
            jwks: https://my-issuer.com/.well-known/jwks.json
      operationId: get-root
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: Hello World!

Issue and Discussion ==================== See: #402. Resolves #402. Summary ======= 1. Parse JWT options. 2. Add JWT examples. 3. Split `auth` into `auth_custom.go`, `auth_oauth2.go` and `auth_jwt.go`. 4. Add `check-auth_jwt` smoke test. 5. Run `make generate && make manifests`. 6. Added stub JWT documentation. 7. Optimize `Makefile` by only calling `go install` in the `install-deps` target if the binaries do not already exist. Changes ======= `examples/auth/jwt/oauth0/**` ----------------------------- Add JWT example. `config/default/kustomization.yaml`, `config/manager/configmap.yaml` and `cmd/kusk/cmd/manifest_data.go` -------------------------------------------------------------------------------------------------------- Change `kubeshop/kusk-gateway` to `v1.3.24`, and run `(cd cmd/kusk && VERSION=v1.3.24 make build)`. References ========== * https://github.com/projectcontour/contour/blob/main/internal/envoy/v3/listener.go#L746 * https://github.com/projectcontour/contour/blob/main/internal/dag/dag.go#L673 * https://docs.mia-platform.eu/docs/development_suite/api-console/advanced-section/api-gateway-envoy/jwt-authn * https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/ --- Signed-off-by: Mohamed Bana <mohamed@bana.io>

See: <#402>. Change `kubeshop/kusk-gateway` to `v1.3.21`: ``` $ pwd kusk-gateway/cmd/kusk $ VERSION=v1.3.21 make build ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>

Issue and Discussion ==================== See: #402. Resolves #402. Summary ======= 1. Parse JWT options. 2. Add JWT examples. 3. Split `auth` into `auth_custom.go`, `auth_oauth2.go` and `auth_jwt.go`. 4. Add `check-auth_jwt` smoke test. 5. Run `make generate && make manifests`. 6. Added stub JWT documentation. 7. Optimize `Makefile` by only calling `go install` in the `install-deps` target if the binaries do not already exist. Changes ======= `examples/auth/jwt/oauth0/**` ----------------------------- Add JWT example. `config/default/kustomization.yaml`, `config/manager/configmap.yaml` and `cmd/kusk/cmd/manifest_data.go` -------------------------------------------------------------------------------------------------------- Change `kubeshop/kusk-gateway` to `v1.3.24`, and run `(cd cmd/kusk && VERSION=v1.3.24 make build)`. References ========== * https://github.com/projectcontour/contour/blob/main/internal/envoy/v3/listener.go#L746 * https://github.com/projectcontour/contour/blob/main/internal/dag/dag.go#L673 * https://docs.mia-platform.eu/docs/development_suite/api-console/advanced-section/api-gateway-envoy/jwt-authn * https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/ --- Signed-off-by: Mohamed Bana <mohamed@bana.io>

Issue and Discussion ==================== See: #402. Resolves #402. Summary ======= 1. Parse JWT options. 2. Add JWT examples. 3. Split `auth` into `auth_custom.go`, `auth_oauth2.go` and `auth_jwt.go`. 4. Add `check-auth_jwt` smoke test. 5. Run `make generate && make manifests`. 6. Added stub JWT documentation. 7. Optimize `Makefile` by only calling `go install` in the `install-deps` target if the binaries do not already exist. Changes ======= `examples/auth/jwt/oauth0/**` ----------------------------- Add JWT example. `api/v1alpha1/staticroute_webhook.go` ------------------------------------- Only allow `auth.oauth2` to be specified. `config/default/kustomization.yaml`, `config/manager/configmap.yaml` and `cmd/kusk/cmd/manifest_data.go` -------------------------------------------------------------------------------------------------------- Change `kubeshop/kusk-gateway` to `v1.3.24`, and run `(cd cmd/kusk && VERSION=v1.3.24 make build)`. References ========== * https://github.com/projectcontour/contour/blob/main/internal/envoy/v3/listener.go#L746 * https://github.com/projectcontour/contour/blob/main/internal/dag/dag.go#L673 * https://docs.mia-platform.eu/docs/development_suite/api-console/advanced-section/api-gateway-envoy/jwt-authn * https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/ --- Signed-off-by: Mohamed Bana <mohamed@bana.io>

Issue and Discussion ==================== See: #402. Resolves #402. Summary ======= 1. Parse JWT options. 2. Add JWT examples. 3. Split `auth` into `auth_custom.go`, `auth_oauth2.go` and `auth_jwt.go`. 4. Add `check-auth_jwt` smoke test. 5. Run `make generate && make manifests`. 6. Added stub JWT documentation. 7. Optimize `Makefile` by only calling `go install` in the `install-deps` target if the binaries do not already exist. Changes ======= `examples/auth/jwt/oauth0/**` ----------------------------- Add JWT example. `api/v1alpha1/staticroute_webhook.go` ------------------------------------- Only allow `auth.oauth2` to be specified. `config/default/kustomization.yaml`, `config/manager/configmap.yaml` and `cmd/kusk/cmd/manifest_data.go` -------------------------------------------------------------------------------------------------------- Change `kubeshop/kusk-gateway` to `v1.3.24`, and run `(cd cmd/kusk && VERSION=v1.3.24 make build)`. References ========== * https://github.com/projectcontour/contour/blob/main/internal/envoy/v3/listener.go#L746 * https://github.com/projectcontour/contour/blob/main/internal/dag/dag.go#L673 * https://docs.mia-platform.eu/docs/development_suite/api-console/advanced-section/api-gateway-envoy/jwt-authn * https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/ --- Signed-off-by: jasmingacic <jasmin.gacic@gmail.com> Co-authored-by: jasmingacic <jasmin.gacic@gmail.com>

jasmingacic mentioned this issue May 12, 2022

Authentication support #170

Open

4 tasks

aabedraba added this to Kusk Gateway Product Backlog Sep 30, 2022

aabedraba added auth requires-discussion labels Sep 30, 2022

jasmingacic added this to the 1.4.0 milestone Oct 8, 2022

aabedraba changed the title ~~JWT~~ Kusk Gateway Support for JWT Oct 12, 2022

mbana self-assigned this Oct 13, 2022

jasmingacic mentioned this issue Oct 14, 2022

837 new policies #868

Merged

jasmingacic modified the milestones: 1.4.0, 1.5.0 Oct 27, 2022

jasmingacic added the kind/enhancement label Oct 27, 2022

mbana added a commit that referenced this issue Nov 1, 2022

Kusk Gateway Support for JWT

2038781

See: <#402>. Change `kubeshop/kusk-gateway` to `v1.3.21`: ``` $ pwd kusk-gateway/cmd/kusk $ VERSION=v1.3.21 make build ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>

mbana mentioned this issue Nov 1, 2022

Kusk Gateway Support for JWT #944

Merged

mbana added a commit that referenced this issue Nov 1, 2022

Kusk Gateway Support for JWT

e14e9ca

See: <#402>. Change `kubeshop/kusk-gateway` to `v1.3.21`: ``` $ pwd kusk-gateway/cmd/kusk $ VERSION=v1.3.21 make build ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>

donnalux mentioned this issue Nov 11, 2022

CLI: Error Messaging for JWT issues #965

Open

mbana moved this to In Progress in Kusk Gateway Product Backlog Nov 22, 2022

mbana added a commit that referenced this issue Nov 22, 2022

Kusk Gateway Support for JWT

af77f38

See: <#402>. Change `kubeshop/kusk-gateway` to `v1.3.21`: ``` $ pwd kusk-gateway/cmd/kusk $ VERSION=v1.3.21 make build ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>

mbana closed this as completed in #944 Nov 24, 2022

Repository owner moved this from In Progress to Done in Kusk Gateway Product Backlog Nov 24, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kusk Gateway Support for JWT #402

Kusk Gateway Support for JWT #402

jasmingacic commented May 12, 2022

aabedraba commented Sep 30, 2022

jasmingacic commented Sep 30, 2022

aabedraba commented Sep 30, 2022

jasmingacic commented Oct 8, 2022

jasmingacic commented Oct 14, 2022

mbana commented Oct 14, 2022

jasmingacic commented Oct 14, 2022

aabedraba commented Nov 8, 2022 •

edited

Loading

Kusk Gateway Support for JWT #402

Kusk Gateway Support for JWT #402

Comments

jasmingacic commented May 12, 2022

aabedraba commented Sep 30, 2022

jasmingacic commented Sep 30, 2022

aabedraba commented Sep 30, 2022

jasmingacic commented Oct 8, 2022

jasmingacic commented Oct 14, 2022

mbana commented Oct 14, 2022

jasmingacic commented Oct 14, 2022

aabedraba commented Nov 8, 2022 • edited Loading

aabedraba commented Nov 8, 2022 •

edited

Loading