JWT feature of the microservice gateway¶
The microservice engine gateway supports JWT validation. Here"s how to use this feature.
Prerequisites¶
- Create a cluster OR Integrate a cluster
- Create a gateway
- Prepare a Token and the JWKS application used to validate the Token. If you do not already have a JWKS application, see Create JWKS App to create one.
Steps¶
-
Access a JWT plugin in the plugin center
- Plugin name: The unique name of the JWKS used to identify the specific JWT policy (required)
- Plugin type: Select JWT
- JWKS cache time: The caching time of the JWKS in memory. No repeated requests to the JWKS server will be made within the cache validity period.
- Token passthrough: Whether to send the JWT token information to the backend service
- JWKS cache time: The complete FQDN address of the JWT service returning the JWKS content (required)
- Issuer: Token issuer authentication. If not filled, no verification will be performed.
- Audiences: Token audiences. If not filled, no verification will be performed.
- Access address: The complete FQDN address of the JWT service returning the JWKS content (required)
- Timeout: Response timeout for the JWKS server. JWKS retrieval fails if it exceeds the timeout period.
- Description: Description information of the plugin
-
Refer to Creating a Domain to create a domain with the protocol set to
https
. EnableJWT authentication
in the domain's security policy and select the JWT plugin created in the previous step. The selected JWT plugin's configuration information will be displayed below. -
Refer to Adding an API to create an API and select the domain that was configured with the JWT plugin. By default, if the API uses a domain with the JWT plugin, JWT authentication will be enabled for the API. However, at the API level, you can disable JWT authentication for the current API. If the API uses a domain without the JWT plugin, JWT authentication cannot be enabled at the API level.
-
Access verification with the Token. If the access is successful, it indicates that the JWT policy configuration is successful.
Create the JWKS application¶
If no JWKS application exists in the current environment, follow the following steps to deploy an application.
-
Download the JWKS generator code locally.
-
Run the JWKS generator locally.
Go to http://localhost:8080. If the following screen appears, the JWKS generator is running locally successfully.
-
Refer to the instructions below to fill in the information, click Generate to generate the JWKS content.
- KeySize: Generates the size of secret. Enter 256
- KeyUse: Use, select a signature
- Algorithm: indicates the algorithm. Select HS256
- KeyID: Optional, matching parameter when JWKS has multiple values
-
Copy the value of
k
in the figure above and access https://jwt.io to generate a Token.- The algorithm selects HS256
- Paste the copied k value into secret and check
secret base64 encoded
-
Create the YAML file based on YAML Template, and then install the JWKS application using the
kubectl apply
command- Change
namespace
to the namespace where the gateway resides, in this exampleenvoy-yang
- Change
jwks.json
to the JWKS content generated in Step 3 above
The YAML file configured in this example is shown below
all-in-one.yamlapiVersion: apps/v1 kind: Deployment metadata: labels: app: remote-jwks-go name: remote-jwks-go namespace: envoy-yang spec: selector: matchLabels: app: remote-jwks-go template: metadata: labels: app: remote-jwks-go spec: containers: - args: - jwks - -c - /app/jwks.json command: - main image: release-ci.daocloud.io/skoala/demo/remote-jwks-go:0.1.0 imagePullPolicy: IfNotPresent name: remote-jwks-go ports: - containerPort: 8080 name: http protocol: TCP volumeMounts: - name: config mountPath: /app/jwks.json subPath: jwks.json volumes: - name: config configMap: name: jwks-config restartPolicy: Always securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 --- apiVersion: v1 kind: Service metadata: name: remote-jwks-go namespace: envoy-yang labels: app: remote-jwks-go spec: type: NodePort ports: - port: 8080 targetPort: http protocol: TCP name: http selector: app: remote-jwks-go --- apiVersion: v1 kind: ConfigMap metadata: name: jwks-config namespace: envoy-yang labels: app: remote-jwks-go data: jwks.json: |+ { "keys": [ { "kty": "oct", "use": "sig", "k": "veb4HPc6oaEAsCikZ7rzTKmu9LkOU4LpDUKBxFjnBcc", "alg": "HS256" } ] }
- Change
-
The
8080
port of the application is accessed. Ifsuccess
is displayed, the application is successfully installed.JWKS address should be composed of
gateway url/jwks
, e.g. http://13.5.245.34:31456/jwksYou can view the gateway address on the gateway overview page of the Micro Service Engine.