Skip to content

JWT feature of the microservice gateway

The microservice engine gateway supports JWT validation. Here"s how to use this feature.

Prerequisites

Steps

  1. Access a JWT plugin in the plugin center

    • Plugin name: The unique name of the JWKS used to identify the specific JWT policy (required)
    • Plugin type: Select JWT
    • JWKS cache time: The caching time of the JWKS in memory. No repeated requests to the JWKS server will be made within the cache validity period.
    • Token passthrough: Whether to send the JWT token information to the backend service
    • JWKS cache time: The complete FQDN address of the JWT service returning the JWKS content (required)
    • Issuer: Token issuer authentication. If not filled, no verification will be performed.
    • Audiences: Token audiences. If not filled, no verification will be performed.
    • Access address: The complete FQDN address of the JWT service returning the JWKS content (required)
    • Timeout: Response timeout for the JWKS server. JWKS retrieval fails if it exceeds the timeout period.
    • Description: Description information of the plugin
  2. Refer to Creating a Domain to create a domain with the protocol set to https. Enable JWT authentication in the domain's security policy and select the JWT plugin created in the previous step. The selected JWT plugin's configuration information will be displayed below.

  3. Refer to Adding an API to create an API and select the domain that was configured with the JWT plugin. By default, if the API uses a domain with the JWT plugin, JWT authentication will be enabled for the API. However, at the API level, you can disable JWT authentication for the current API. If the API uses a domain without the JWT plugin, JWT authentication cannot be enabled at the API level.

  4. Access verification with the Token. If the access is successful, it indicates that the JWT policy configuration is successful.

Create the JWKS application

If no JWKS application exists in the current environment, follow the following steps to deploy an application.

  1. Download the JWKS generator code locally.

    git clone https://github.com/projectsesame/jwks-generator
    
  2. Run the JWKS generator locally.

    mvn package -DskipTests && java -jar target/ROOT.war
    

    Go to http://localhost:8080. If the following screen appears, the JWKS generator is running locally successfully.

  3. Refer to the instructions below to fill in the information, click Generate to generate the JWKS content.

    • KeySize: Generates the size of secret. Enter 256
    • KeyUse: Use, select a signature
    • Algorithm: indicates the algorithm. Select HS256
    • KeyID: Optional, matching parameter when JWKS has multiple values
  4. Copy the value of k in the figure above and access https://jwt.io to generate a Token.

    • The algorithm selects HS256
    • Paste the copied k value into secret and check secret base64 encoded
  5. Create the YAML file based on YAML Template, and then install the JWKS application using the kubectl apply command

    • Change namespace to the namespace where the gateway resides, in this example envoy-yang
    • Change jwks.json to the JWKS content generated in Step 3 above
    The YAML file configured in this example is shown below
    all-in-one.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        app: remote-jwks-go
      name: remote-jwks-go
      namespace: envoy-yang
    spec:
      selector:
        matchLabels:
          app: remote-jwks-go
      template:
        metadata:
          labels:
            app: remote-jwks-go
        spec:
          containers:
            - args:
                - jwks
                - -c
                - /app/jwks.json
              command:
                - main
              image: release-ci.daocloud.io/skoala/demo/remote-jwks-go:0.1.0
              imagePullPolicy: IfNotPresent
              name: remote-jwks-go
              ports:
                - containerPort: 8080
                  name: http
                  protocol: TCP
              volumeMounts:
                - name: config
                  mountPath: /app/jwks.json
                  subPath: jwks.json
          volumes:
            - name: config
              configMap:
                name: jwks-config
          restartPolicy: Always
          securityContext:
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
    
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: remote-jwks-go
      namespace: envoy-yang
      labels:
        app: remote-jwks-go
    spec:
      type: NodePort
      ports:
        - port: 8080
          targetPort: http
          protocol: TCP
          name: http
      selector:
        app: remote-jwks-go
    
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: jwks-config
      namespace: envoy-yang
      labels:
        app: remote-jwks-go
    data:
      jwks.json: |+
        {
          "keys": [
            {
            "kty": "oct",
            "use": "sig",
            "k": "veb4HPc6oaEAsCikZ7rzTKmu9LkOU4LpDUKBxFjnBcc",
            "alg": "HS256"
        }
          ]
        }
    
  6. The 8080 port of the application is accessed. If success is displayed, the application is successfully installed.

    JWKS address should be composed of gateway url/jwks, e.g. http://13.5.245.34:31456/jwks

    You can view the gateway address on the gateway overview page of the Micro Service Engine.

Comments