Is there any free provider for .well-known/openid-configuration available so that we can do verification of JWT token?
You verify JWT tokens using configuration provided by the service which issued the JWT token. The service which issued the tokens and signed them is responsible for providing any public keys needed to verify the JWT. So that service exposes a .well-known/openid-configuration endpoint.
If you are issuing your own tokens then you should be in possession of everything needed to verify them.
Related
I have a kubernetes cluster and i have my application deployed in the pods. There is a endpoint URL of my application which i used to send POST requests from Postman. I need to provide some level of authentication to the my URL. I read the service account authentication using the JWT token.
How can i achieve the same feature in postman ??
I tried creating a new service account and took the secret and the associated JWT token as the Bearer token in postman. But it is not giving any kind of authentication.
https://medium.com/better-programming/k8s-tips-using-a-serviceaccount-801c433d0023
Cant directly answer your question, but from what comes to my mind is that: Istio supports Token-based end-user authentication with JSON Web Tokens.
You should understand I havent tried to do that, but this looks for me very promising: Istio End-User Authentication for Kubernetes using JSON Web Tokens (JWT) and Auth0
And to test JWT-based authentication and authorization workflow thay exactly use Postman, as you prefer.
I want to access the kubernetes dashboard and the API using an already existing openid connect session (apache reverse proxy with mod_auth_openidc + WSO2 identity server). Unfortunately, kubernetes requires an id_token as a bearer token (signed JWT), which is quite hard to obtain by just having the session cookie from mod_auth_openidc module.
My problem is the following: When I call the the OIDCInfoHook with the id_token configured (the reverse proxy callback_url like http://service.domain?json=info), I just get the unsigned id_token token, which is useless for kubernetes authentication. Calling the info hook with the refresh token configured I can retrieve successfully the refresh token. With this token the identity server (WSO2) returns the id_token, a new access token and the next refresh token. Unfortunately, the mod_auth_openidc still has the old access_token and I need to map to the new the id_token to the old and new access token. Although it works after a fresh login, optaining the id_token doesn't work anymore after the session timeout (3600 s). In this state, I have to delete manually the session cookie in order to get a new login prompt.
I have two questions:
Is there any other possibility to use oidc authentication with kubernetes that does not rely on the id_token, i.e. using one the openid connect flows as described in the spec? According to the openid connect spec, the id_token should not be send around and this method seems not to be one of the openid connect flows, I guess.
Is there any other best practice way to integrate kubernetes into an existing openid connect based single sign on environment?
The common SSO solution for this kind of problems is to use Kubernetes OAuth2-Proxy, https://github.com/pusher/oauth2_proxy. You could either run the proxy in an ingress or in a side car container. If you have istio, you could also integrate Istio with your openid conenect provider.
I'm trying to understand whether my Owin-hosted Web Api needs to validate the certificate used to sign a JWT-token.
I've set up an identity provider using IdentityServer. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.
What's working so far:
Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
The user logs on
The user is redirected back to my web app
My web app receives the JWT containing the id token and access token
My web app calls the user info endpoint to retrieve the claims using the access token
What I'm missing is logic to validate the certificate which was used to sign the JWT containing the identity token.
Using Fiddler, I've been able to see that the OpenIdConnectAuthenticationMiddleware retrieves the keys from the identity server (by calling https://myidentityserver.example.com/core/.well-known/jwks HTTP/1.1)
Is the OpenIdConnectAuthenticationMiddleware performing some kind of validation of the certificate? Or should I be writing this code myself?
The flow you describe relies on the fact that the verification certificate is pulled from a TLS protected endpoint (JWKs URL) that presents a valid SSL server certificate. This SSL server certificate guarantees that you're talking to the right OpenID Connect provider.
Found some explanations here
For validating reference tokens we provide a simple endpoint called the access token validation endpoint. This endpoint is e.g. used by our access token validation middleware, which is clever enough to distinguish between self-contained (JWT) and reference tokens and does the validation either locally or using the endpoint. All of this is completely transparent to the API.
You simply specify the Authority (the base URL of IdentityServer) and the middleware will use that to pull the configuration (keys, issuer name etc) and construct the URL to the validation endpoint
I didn't touch AAD before, but I have to use it for authenticate users for my REST service.
I have a mobile client that can authenticate a user on AAD with OAuth2. As a result it has a bearer token.
This bearer token mobile client should use as a parameter in a request for protected REST service.
REST service is a Java-based application (spring-boot) and it was registered in AAD as a Web application, but I can not find a way how it can connect to AAD for check is token valid or not.
I expected to have something like /oauth2/check_token endpoint that can take a token value and return a user data, but I didn't find anything.
Is it possible to use AAD for authentication users for third-party applications and if yes, how to do it?
The token issued by AAD is a signed JWT token. You do not need to communicate with AAD to verify the token is valid. If you trust the issuer (AAD) and the token is valid (correct audience, valid signature, not expired etc.), you accept the claims in the token.
See this article for the steps to validate the JWT token.
Does Thinktecture.IdentityServer support encrypting the JWT tokens it issues, for example to protect the token from being used in a reply attack?
If yes, how can a client decrypt the encrypted token?
I have tried to enabling "Require Token Encryption" in the IdentityServer General Configuration, however after doing so when I try to login I get a "No encryption key available" message at the identity server web page.
Is there a problem or am I missing a required setting?
Encryption is for confidentiality, not for preventing replay attacks.
The Microsoft jwt library does not support encryption. And we rely on that library.