Comments (19)
Any update on this?
from emissary.
I think JWT would be a great feature for Ambassador! I noticed a new repo was created for it specifically:
https://github.com/datawire/ambassador-auth-httpjwt
Are guys looking for collaborators for it?
Best,
TM
from emissary.
My company is evaluating service meshes and currently uses JWTs with NGNIX to listen on every request to update and validate JWTs. Would this mean that ambassador would be able to do something similar to NGINX's Authentication Based on Subrequest?
from emissary.
We just released Ambassador 0.9.0 today, which supports an external authentication service (see http://www.getambassador.io/user-guide/mappings.html#external-authentication) for details. Ambassador does not currently natively support JWT (that's what this issue is about).
Given the support for an external authentication service, does that meet your needs? If not, specifics about what additional support you would need would be great!
from emissary.
The external auth service gets enough information to do this kind of check, yes. As Richard notes, knowing more about the specifics of how you use JWT (which signing method, etc) would be interesting too!
from emissary.
Ambassador sends a POST request to the External Auth, but my use case sends a GET request to my external auth. Would this be possible to configure?
@ethanrubio for some reason, GitHub lost your comment (I got it in email). This isn't supported today, but we could easily add it. I've opened #73 to track this issue.
from emissary.
Check out one I just made.
https://github.com/kminehart/abassador-auth-jwt
from emissary.
Whoa! That's great, @kminehart -- we'll check it out! :)
from emissary.
It's not perfect, I just made it yesterday/today. Any feedback would be appreciated.
Thanks! :)
from emissary.
@kminehart It might be worth including a sample Ambassador auth.yaml
in your README -- is this what you use?
---
apiVersion: ambassador/v0
kind: Module
name: authentication
config:
auth_service: {whatever you need}
allowed_headers:
- "x-jwt-payload"
?
from emissary.
---
apiVersion: ambassador/v0
kind: Module
name: authentication
config:
auth_service: {whatever you need}
allowed_headers:
- "Authorization"
To my understanding, JWTs are by convention provided as Authorization: Bearer xxxxxxxxxx
, so that's the only thing I left unconfigurable.
from emissary.
Ah, the allowed_headers
are headers allowed to come from the auth service back to Ambassador...
from emissary.
Ahhhh I see. Then yes. :)
my bad
from emissary.
One issue I encountered which may warrant creating a new issue is if I did not include a path prefix for the authentication module then it would put me in a redirect loop.
Here's some successful tests!
No JWT provided
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X POST ambassador.example.com
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> POST / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Wed, 18 Oct 2017 18:10:42 GMT
< content-length: 77
< x-envoy-upstream-service-time: 0
< server: envoy
<
Unable to retrieve jwt from header 'Authorization' or cookie 'session_token'
* Connection #0 to host ambassador.example.com left intact
Completely wrong jwt provided
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X POST ambassador.example.com -H "Authorization: Bearer asdf"
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> POST / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer asdf
>
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Wed, 18 Oct 2017 18:10:49 GMT
< content-length: 45
< x-envoy-upstream-service-time: 0
< server: envoy
<
token contains an invalid number of segments
* Connection #0 to host ambassador.example.com left intact
Environment variable CHECK_EXP
= true, exp in token's payload < today's datetime (UTC) (aka token is expired)
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X POST ambassador.example.com -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMDgtMTdUMjE6MDA6MDBaIn0.q6I230AY0rZWrW1hEcPxAjUhbQ_Odh6JKl9iEA78Va0"
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> POST / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMDgtMTdUMjE6MDA6MDBaIn0.q6I230AY0rZWrW1hEcPxAjUhbQ_Odh6JKl9iEA78Va0
>
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Wed, 18 Oct 2017 18:10:57 GMT
< content-length: 22
< x-envoy-upstream-service-time: 19
< server: envoy
<
This token is expired
* Connection #0 to host ambassador.example.com left intact
Token signed with different key
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X POST ambassador.example.com -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMDgtMTdUMjE6MDA6MDBaIn0.S7oY3ruCarDHkR0a_bSJ6Jz6LJs7-5fEsrMQCOjBnqg"
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> POST / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMDgtMTdUMjE6MDA6MDBaIn0.S7oY3ruCarDHkR0a_bSJ6Jz6LJs7-5fEsrMQCOjBnqg
>
< HTTP/1.1 401 Unauthorized
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< date: Wed, 18 Oct 2017 18:11:42 GMT
< content-length: 21
< x-envoy-upstream-service-time: 17
< server: envoy
<
signature is invalid
* Connection #0 to host ambassador.example.com left intact
Valid token (but 404 on my service)
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X POST ambassador.example.com -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMTEtMTdUMjE6MDA6MDBaIn0.asmHH-xZdV6JdaUOFttHIe4Vn5EBANHJFKKBozVzxzk"
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> POST / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMTEtMTdUMjE6MDA6MDBaIn0.asmHH-xZdV6JdaUOFttHIe4Vn5EBANHJFKKBozVzxzk
>
< HTTP/1.1 404 Not Found
< date: Wed, 18 Oct 2017 18:12:11 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host ambassador.example.com left intact
Same thing but with PUT
user kminehart/ambassador-auth-jwt ‹master*› » curl -L -v -X PUT ambassador.example.com -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMTEtMTdUMjE6MDA6MDBaIn0.asmHH-xZdV6JdaUOFttHIe4Vn5EBANHJFKKBozVzxzk"
* Rebuilt URL to: ambassador.example.com/
* Trying ambassador.example.com...
* TCP_NODELAY set
* Connected to ambassador.example.com (ambassador.example.com) port 80 (#0)
> PUT / HTTP/1.1
> Host: ambassador.example.com
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwMTctMTEtMTdUMjE6MDA6MDBaIn0.asmHH-xZdV6JdaUOFttHIe4Vn5EBANHJFKKBozVzxzk
>
< HTTP/1.1 404 Not Found
< date: Wed, 18 Oct 2017 18:12:45 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host ambassador.example.com left intact
from emissary.
Envoy recently added JWT verification.
Has anyone tried using that with Ambassador yet?
On GKE, IAP provides an authorization service and can automatically redirect requests. All we need to do with Ambassador is ensure there is a valid JWT to ensure traffic went through IAP.
from emissary.
We'd love to have some help! If you're interested, even some research into a general design proposal would be helpful. Off the top of my head, there are two possibilities for implementation:
- A third party authentication service, such as the GitHub link you reference
- Using Envoy's functionality, as Jeremy posted
The Envoy functionality seems like it would be nicer, but haven't done any deep research.
from emissary.
Just for some insight into a work model we have now:
The strategy we went with kept the whole thing pretty simple.
- The middleware reads the JWT in the
Authorization
header - If the JWT is signed using the correct key, then it puts the payload in a header in the request (
X-Jwt-Payload
, by default) - If the JWT is invalid or not signed properly, then the header is left empty.
- All requests return 200 OK
I leave it up to the service to decide whether or not the request is valid based on the information in the JWT payload, and whether or not the JWT payload even exists.
I'd like to see how it'd be done if Envoy handled JWTs.
from emissary.
For Envoy there is a little process flow description in https://github.com/istio/proxy/tree/master/src/envoy/http/jwt_auth
from emissary.
This is now supported in Ambassador Pro, or, as pointed out above, is supported via the AuthService API.
from emissary.
Related Issues (20)
- Missing SBOM file
- Extremely Slow response through emissary-ingress (+5 seconds)
- Not able to build FIPS complaint envoy for emissary ingress v3.9.1 HOT 6
- Content-Type from Auth service is overwritten in error response HOT 1
- net::ERR_INCOMPLETE_CHUNKED_ENCODING, NS_ERROR_NET_PARTIAL_TRANSFER HOT 1
- Feature Request - TLS Support for TracingService HOT 1
- "cert_required" property configurable per path (not only for the whole Host)
- TracingService: `propagation_modes` incompatible with `opentelemetry` driver
- Add support to create custom relabelling config for `serviceMonitor`
- Upgrade to 3.9.3
- Globally configure `min_tls_version` and `cipher_suites` for all connections
- Allow to set ipFamilies in service and disable the module
- api version being appended to ambassador id for v3alpha1 mapping resources HOT 1
- no_healthy_upstream possibly caused by strange envoy DNS timeout HOT 1
- Opentelemetry driver missing spans HOT 4
- cannot override name with nameOverride when the release name is ambassador
- Change to mappings breaks canary routes
- Rate Limit example does not work HOT 4
- Emissary Ingress Readiness/Liveness Probe
- Readiness and Liveness Probe Failing with Overload Manager Configuration HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emissary.