I am using Kong and the JWT plugin to authenticate my upstream services. I have a use case where i would like to expose an endpoint in one of the services without having Kong authenticate against it. I was wondering if there is any way to specify exclusion patterns to let Kong know to ignore authentication for this endpoint?
Thanks in advance for any help!
Kong looks at the configured APIs in order of length. So it should be possible (without have tested it) that you use a longer uri (the one you want to make publicly accessible) without the JWT plugin, while keeping your current endpoint with the JWT plugin.
For example, if your current configuration is on /myApi and the path you want to make public is /myApi/login, then add an API on the latter without configuring the JWT on it.
Related
We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.
I created a Rest-API and a frontend as a self contained system with Quarkus.
The frontend is served statically.
For Authentication i use a kleycloak server and have nearly the same configuration as in this guide from quarkus.
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
With this config i need to authenticate for the rest-api and the frontend. Thats what i want.
If i try to load the index.html i got redirected to keycloak and back. That works perfectly.
The problem is, that the same thing happens with the rest-api. I got redirected to keycloak with a "302 found"-status code. Here I would like to have an authentication with a bearer token and no redirect. Quarkus has the following configuration for this:
quarkus.oidc.application-type=service
That collides with the configuration for the frontend. Is there a way to use both, one for static files and one for the rest-api?
If I'm not wrong you're looking for a multi-tenant oidc setup(even though you're not designing tenants). The guide and example can be found on the official quarkus website here.
This way you'll have similar setup:
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.restapi.auth-server-url=http://localhost:8180/auth/your/path
quarkus.oidc.restapi.client-id=backend
quarkus.oidc.restapi.application-type=service
P.S you can replace restapi with more likable name.
I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.
I went through this tutorial on KONG
https://getkong.org/plugins/jwt/
I have an understanding of JWT and authorization concepts. I have prototyped JWT with Spring Boot where I could put my own key value like this {"authorizations":"role_admin, role_user"}.
It is easy to do that in Spring Boot but I am not able to find information on how to do this with KONG. Anyone has any info about it?
Kong community edition can handle only the authentication process, (give or deny access to a customer).
Authorization process (what a given customer can do in your application) is handled by your application or by https://getkong.org/plugins/ee-oauth2-introspection/ oauth2 introspection plugin which is enterprise edition only
you can write your own authorization server based on X-Consumer-Username request header if user passed authentication or original token header proxied by kong
hope helps
The kong jwt plugin does not support sending custom payload parameters to the upstream api. It does however seem like you can use this plugin (I have not tested it):
https://github.com/wshirey/kong-plugin-jwt-claims-headers
Update:
If you set Kong to forward all headers you'll get the raw Authorization header with the jwt token. So you could base64 decode the jwt token and pull out the claims/payload parameters you need manually in your service.
I am currently playing around with the Kong API Gateway and I would like to use it to validate the authentication of users at the gateway and restrict access to services if the user is not logged in properly.
I have an authentication service which issues JWTs whenever a user logs in.
I would now like to share the JWT secret with Kong and use it for validation of the issued JWTs to secure services which need proper authentication.
I had a look at this plugin: https://getkong.org/plugins/jwt/
But it seems that this plugin works a bit different than what I would like to achieve. Why do I have to create consumers? I would like to have only one user database at my authentication service to avoid the need of synchronisation. It seems that the approach of this plugin is designed for giving 3rd party stakeholders access to my API.
Any hint would be highly appreciated.
The answer given by Riley is sort of correct in implementation but that is not the intended use of a consumer in the Kong.
A consumer in kong is the application that is is using the API. So, unless you have multiple vendors using your app/web service, I suggest you create a single consumer.
You can create multiple key and secret pair(JWT credentials) for that consumer. Create a JWT for a user by using the users Key and secret. Store this Key and secret in your current database along with your userID and other details. Create your JWT using these and return the JWT to the user.
Anything else you want to append as a claim can be added to the JWT while you are creating it. You can create a check for these claims in Kong. So, when you get a call to any of your APIs along with these JWT Kong will check the validity of the JWT(along with all the claims) and only then allow the access to the API.
It seems to me that the design of the JWT plugin for Kong doesn't want to share a JWT secret with you - it wants to own the JWTs entirely. You will indeed have to create a consumer per user, and let Kong manage that.
I asked a few questions to confirm on the Google Group - see https://groups.google.com/forum/?fromgroups#!topic/konglayer/XHnVEGoxZqo
Two highlights:
Can you just confirm that it should be OK to make one consumer and one credential per user?
Not only that's okay, but that's the recommended way :)
and
Will Kong be happy to have two million consumers of a single api? What about 200 million?
Technically that shouldn't be an issue, I would recommend setting up a POC where you can experiment with a higher number of users, in order to optimize the connection between Kong and the datastore and make sure we tune everything properly.
You can actually pass the secret to the JWT plugin when you create it:
$ curl -X POST http://kong:8001/consumers/${consumer_id}/jwt \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "secret=mysecret&consumer_id=${consumer_id}"