GithubHelp home page GithubHelp logo

ajanthan / istio-enduser-authentication-with-wso2is Goto Github PK

View Code? Open in Web Editor NEW
0.0 1.0 0.0 8 KB

A guide on how to authenticate endusers in Istio using WSO2 Identity Server

Home Page: https://medium.com/@balaajanthan/istio-enduser-authentication-with-wso2-identity-server-ba32a1941639?postPublishedType=initial

License: Apache License 2.0

istio service-mesh jwt-authentication wso2is wso2-identity-server wso2

istio-enduser-authentication-with-wso2is's Introduction

istio-enduser-authentication-with-wso2is

A guide on how to authenticate endusers in Istio using WSO2 Identity Server.

Prerequists

  1. Kubernetes
  2. WSO2 Identity Server on Kubernetes
  3. Istio

Deploying Sample(httpbin) Service

In this guide the official httpbin sample from Istio distribution is going to be secured with JWT. Deploy the sample by issuing following command from Istio installation directory.

kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml)

Here assumption is the automatic sidecar injection is not used.

Applying Istio Traffic Rule

An Istio gateway and a virtualservice is needed to be able to access the service from outside. Clone this repostitory and apply following policies.

git clone https://github.com/ajanthan/istio-enduser-authentication-with-wso2is.git

cd istio-enduser-authentication-with-wso2is
kubectl apply -f httpbin-gateway.yaml
kubectl apply -f httpbin-virtualservice.yaml

Applying End User Authentication Policy

Following JWT policy will configure Istio to secure the httbin service with JWT authentication from WSO2 Identity Server.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
spec:
  targets:
  - name: httpbin
  origins:
  - jwt:
      issuer: "https://wso2is:9443/oauth2/token"
      jwksUri: "http://wso2is-service.default.svc.cluster.local:9763/oauth2/jwks"
  principalBinding: USE_ORIGIN

To apply the policy issue following command.

kubectl apply -f jwt-auth-policy.yaml

Generating JWT Token From WSO2 Identity Server

Register a service provider with OAuth/OpenID Connect Configuration inbound authentication type and obtain OAuth Client Key and OAuth Client Secret.

In the next step the ID token is going to be generated using OAuth2 endpoint using Password grant type.

curl -vk -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic base64encode(OAuth Client Key:OAuth Client Secret)" -H "Content-Type: application/x-www-form-urlencoded" https://wso2is/oauth2/token

Get the id_token from the response to be used as the access token to access the httpbin service.

Invoking the Service

Determine the IP address and port of the Istio Gateway and invoke the service as follows.

curl -kv  http://$INGRESS_HOST:$INGRESS_PORT/headers -H "Authorization: Bearer <id_token>"

Without a valid id_token you will not be able to invoke the httbin service succcessfully.

istio-enduser-authentication-with-wso2is's People

Contributors

ajanthan avatar

Watchers

avatar

istio-enduser-authentication-with-wso2is's Issues

I have same implementation but with Identity server 4 instead gets 401 always

Thanks for the detailed article, I have implemented exactly the same deployment as yours the only exception that I use identity server 4 instead of WSO.

When I make the call with JWT token, I always get 401
I have investigated pilot logs and the only thing that I notice that could be the cause is
error model Failed to fetch public key from "http://identity-service/.well-known/openid-configuration/jwks": Get http://identity-service/.well-known/openid-configuration/jwks: dial tcp: lookup identity-service on 100.64.0.10:53: no such host
Although the http://identity-service/.well-known/openid-configuration/jwks is accessible from the cluster
Could you advise?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.