现在我使用 Ingress-Nginx 作为外部流量的路由服务。但是很少有文章介绍Ingress是如何玩JWT认证来保护内部API的。
有人可以分享一些有关它的信息吗?
最佳答案
根据研究:
Different authenticating API calls were has merged in the form of OAuth 2.0 access tokens.
These are authentication credentials passed from client to API server, and typically carried as an HTTP header.
由 RFC 7519 定义的 JSON 网络 token (JWT)是其中之一。
根据文档:
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
这种机制可以使用不同的入口 Controller 来应用,比如 kubernetes nginx-ingress或 nginxinc ingress controller .
根据 nginx inc 文档:
NGINX auth_request Module is used to Validate Tokens on behalf of backend sercvices.
Requests reach the backend services only when the client has presented a valid token Existing backend services can be protected with access tokens, without requiring code changes Only the NGINX instance (not every app) need be registered with the IdP Behavior is consistent for every error condition, including missing or invalid tokens
So for NGINX acting as a reverse proxy for one or more applications, we can use the auth_request module to trigger an API call to an IdP before proxying a request to the backend.
To use an existing service that provides authentication the Ingress rule can be annotated with nginx.ingress.kubernetes.io/auth-url to indicate the URL where the HTTP request should be sent.
在这里您可以找到 working example nginx-subrequest-auth-jwt
This project implements a simple JWT validation endpoint meant to be used with NGINX's subrequest authentication, and specifically work well with the Kubernetes NGINX Ingress Controller external auth annotations
It validates a JWT token passed in the Authorization header against a configured public key, and further validates that the JWT contains appropriate claims.
此示例使用 PyJwt python library它允许您编码和解码 JSON Web token (JWT)
附加资源:
希望这有帮助。
关于kubernetes - Ingress 如何支持 JWT 认证?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58494651/