I am looking to host my REST APIs on GKE (microservices), I want other applications and services I develop to authenticate with these APIs using JWT with Spring Boot Security. I want to generate a JWT token from a Google Cloud Service Account from a Google Cloud project and use this to authenticate with my APIs. My question is, is this possible to secure the API's that I develop to allow a JWT token to authenticate against Google Cloud IAM (Service Account). An example on the Spring side would be most helpful..
I am looking to something similar to what you can do in App Engine with the ESP..
You can follow the Google official documentation:
Authentication between services
You have to:
Created a Google Cloud project.
Created an OpenAPI document for your API.
Deployed your OpenAPI document.
Deployed the API backend.
The Api backend can be on Google Kubernetes Engine, Compute Engine, and the App Engine flexible environment. You have to deploy the Extensible Service Proxy (ESP) to Google Kubernetes Engine.
Deploying the API backend
Related
I have asp.net core web api app which is hosted in Azure Kubernetes Service and the web api endpoints is secured with Azure Active Directory (AAD). Following the below article,
https://dotnetplaybook.com/secure-a-net-core-api-using-bearer-authentication/
Now I have another asp.net core web api application (Gateway) which is hosted as Azure App Service and this is a client application for above microservice which is hosted in AKS.
I have registered the client app (Gateway) also in AAD and using secret and using this gateway and microservices authenticated and works.
Since AKS hosted microservices talks with Azure App service, can I use Managed Identity so that I don't need to do secret management?
So just to clarify, your service deployed in Azure App Service is calling your application deployed in AKS.
If your Azure App Service is acting on its own behalf (ie: it is a daemon app, and users dont interact with that app), then yes, you can simply use a Managed Identity for that App Service and give that identity the API permissions for the app in AKS.
--an update to the above
I wrote some additional details that walks through all steps to achieve this, take a look at this post: https://blog.identitydigest.com/single-tenant-daemon-managed-identity/ . It also has a pointer to a very rudimentary code sample.
we are using konghq as an API gateway for one of our customers but we are very new to it and therefore don't know how to tackle this authentication issue.
We have to authenticate our services with a SAML token. Our micro services are behind kong which is running on an EC2. The authentication process should be an independent micro services which validates the token from the request and it’s contents against another system. Instead of a service it could also be some serverless function on a k8s cluster. We don't want to use a lambda to stay cloud agnostic.
We were previously using AWS API gateway and lambda authorizers to tackle the scenario. The authorizer validated the token and took care of the authentication process.
I searched all the Kong forums and google but couldn't find a SAML plugin. Most similar is the JWT plugin but it won't work for us.
Is there something similar in Kong or is there development on Kong involved? If yes, are there any existing plugin which are similar or any tutorials related.
All help is greatly appreciated.
Thanks
Oldfighter
I am trying out 3Scale API Management. I would like to have the API gateway running on-premise in Docker container and test with 3Scale API Portals by Red Hat evaluation.
A few questions:
How are the communication done between API Gateway and API Portal?
Is it the API gateway that request the configuration at startup from API Portal or is it API Portal that pushes the configuration to the gateway?
Reason of thinking is that the API Gateway is behind firewall(s) and to communicate to internet (API Portal) it uses a proxy.
If API Gateway communicates with API Portal - how can I configure proxy server in with Docker?
I got the answer in another forum:
The communication between the API Gateway and the API Manager uses two
APIs :
- the Service Management API to ask for authorization and report usage
- the Account Management API (read-only) to get the list of available APIs and their configuration
The Service Management API is at su1.3scale.net (port 443) whereas the
Account Management API is at
The configuration is retrieved by polling the Account Management API.
For reference: https://groups.google.com/forum/#!topic/3scale-api-management-by-red-hat/EXhrVUfKOtY
We are trying to leverage BlueID/IBM ID authentication for our application deployed on Bluemix node.js instance. Is it possible to configure the Bluemix SSO service with Blue ID (OpenID) authentication. Right now I see support for SAML, Cloud Directory and some social networks. But I am really interested to know if the SSO service has support to use Blue ID authentication?
Bluemix Single Sign On does not currently support the standards for IBM ID login.
I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo