How to configure JWT auth in Envoy Proxy using Okta as provider - jwt

I have an app running behind envoy proxy and working on enabling JWT auth for the same using okta. It would be of great help if someone can point me to appropriate example configuration or appropriate document.

I ended up using Gloo's ExtAuth functionality.

Related

How to create authentication with Kubernetes when service is already existing?

I'm reading through https://kubernetes.io/docs/reference/access-authn-authz/authentication/, but it is not giving any concrete commands and it is mostly focusing when we want to create everything from scratch. It's also explaining auth for engineers using Kubernetes.
I have an existing deployment and service (with exposed external IP) and would like to create the simplest possible authentication (preferably token based) for an external user accessing the exposed IP. I can't add authentication to the services since I don't have access to their code. If somebody could help me with some commands I would be grateful.
The documentation which referred is for authentication with k8s (for api accesses). This is not for application layer authentication.
However I can suggest one way to implement application layer authentication without changing the service at all. You can redirect the traffic to nginx (or any other reverse proxy) which can perform the authentication and redirect the authenticated user to service directly. It can also perform some kind of authorization too.
There are various resources available which can help you choose various authentication mechanism available in nginx such as password file based mechanism (link) or JWT based authentication (link)

SAML request authentication with Kong

we are using konghq as an API gateway for one of our customers but we are very new to it and therefore don't know how to tackle this authentication issue.
We have to authenticate our services with a SAML token. Our micro services are behind kong which is running on an EC2. The authentication process should be an independent micro services which validates the token from the request and it’s contents against another system. Instead of a service it could also be some serverless function on a k8s cluster. We don't want to use a lambda to stay cloud agnostic.
We were previously using AWS API gateway and lambda authorizers to tackle the scenario. The authorizer validated the token and took care of the authentication process.
I searched all the Kong forums and google but couldn't find a SAML plugin. Most similar is the JWT plugin but it won't work for us.
Is there something similar in Kong or is there development on Kong involved? If yes, are there any existing plugin which are similar or any tutorials related.
All help is greatly appreciated.
Thanks
Oldfighter

Apache Karaf - Authentication and Authorization via Keycloak

I use Apache Karaf 4.x for my rest services. I would like to provide authentication and authorization for my services via Keycloak. I do not want to make direct changes in each service. Instead, I would like to configure karaf in the way that if request is not authenticated then it will forward to keycloak to get a session. or maybe there could be client credentials or bearer token and karaf could check that token before allowing to use the service.
Any help is appreciated.
Thanks in advance

Use Envoy Proxy or HA Proxy for authentication using IDP

I have a requirement where i need to authenticate external request via IDP. Can this be done using envoy proxy or HA Proxy?
Currently the only way to achieve this is by using the ext_authz filter to send request metadata to an auth server.
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
There's currently work on implementing an OAuth filter that would work with any OAuth 2.0 compliant IdP but that work is not yet complete (https://github.com/envoyproxy/envoy/issues/8571)

Keycloak and Vertx

We are implementing RESTful service and the entire backend application using Vert.x. These API's are consumed by a hybrid mobile app (developed using Ionic / angularjs). We are using Keycloak for user management and also authentication and authorization on the app.
My question is, how can I use Keycloak to also protect (authenticate and authorize for the same set of users) my RESTful service access which is implemented using Vert.x. Any example implementation would be very useful.
We wrote a custom Vert.x auth provider using the Keycloak core library to solve this exact problem (the Vert.x JWT library doesn't work with the Keycloak JWT tokens - arguably we should have improved the Vert.x library instead). I'll see if I can get permission to open source the library.
So, if i understand correctly, you need one authentication entry point for user in mobile app and in REST service. If i am right, you can use JWT. When user will authenticate with Keycloak he will receive jwt with roles and user information. This token you can put into request for REST service and your Service will know who is the user and what roles he have. Please see https://jwt.io/