Access token validation
Validate access tokens from an external identity provider.
For more information or other OAuth options, see the OAuth about page.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Step 1: Set up your Identity Provider
Set up an OpenID Connect (OIDC) compatible identity provider (IdP).
For example, you can use Keycloak as an IdP.
Step 2: Enforce access token validation
Use AuthConfig and GlooTrafficPolicy resources to apply the auth rules to the routes that you want to secure with access token validation.
Create an AuthConfig resource with your access token validation rules. The following example uses JWT validation and an inline JWKS server to provide the JWT.
- For more access token validation options, see the Gloo Edge API docs.
- For more information about JWTs, see the JWT guide.
- Is your JWT in a custom header? By default, the JWT token is expected in the
Authorization: Bearer <token>header format. If you use a different header, apply a transformation policy. - For more JWT options, such as to fetch the token from a remote JWKS instead of an inline JWKS, see the Gloo Edge API docs.
kubectl apply -f- <<EOF apiVersion: extauth.solo.io/v1 kind: AuthConfig metadata: name: oauth-jwt-validation namespace: httpbin spec: configs: - oauth2: accessTokenValidation: jwt: localJwks: inlineString: >- $KEYCLOAK_CERT_KEYS EOFReview the following table to understand this configuration.
Field Description oauth2.accessTokenValidation.jwtSet up the OAuth policy to validate access tokens that conform to the JSON Web Token (JWT) specification. localJwks.inlineStringEmbed a local JWKS as a string, based on the value that you retrieved when you set up your IdP. Create a GlooTrafficPolicy resource that refers to the AuthConfig that you earlier. The following policy applies external auth to all routes that the Gateway serves.
kubectl apply -f - <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooTrafficPolicy metadata: name: oauth-jwt-validation namespace: gloo-system spec: targetRefs: - name: http group: gateway.networking.k8s.io kind: Gateway glooExtAuth: authConfigRef: name: oauth-jwt-validation namespace: httpbin EOFVerify that the AuthConfig is in an Accepted state.
kubectl get authconfig oauth-jwt-validation -n httpbin -o yamlIf you see a
REJECTEDerror similar toinvalid character 'k' looking for beginning of object key string, try copying the$KEYCLOAK_CERT_KEYSvalue manually again.
Step 3: Verify access token validation
Send various requests to verify that API key auth is enforced for your routes.
Send a request to the httpbin app without an access token. Verify that your request is denied and that you get back a 403 HTTP response code.
Example output:
HTTP/1.1 403 ForbiddenGenerate an access token from your IdP, such as with the following command for Keycloak. If you get a
404response, verify that the Keycloak URL and client credentials are correct. Common errors include using a different realm.export USER1_TOKEN=$(curl -Ssm 10 --fail-with-body \ -d "client_id=${KEYCLOAK_CLIENT}" \ -d "client_secret=${KEYCLOAK_SECRET}" \ -d "username=user1" \ -d "password=password" \ -d "grant_type=password" \ "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" | jq -r .access_token)echo $USER1_TOKENExample output:
eyJhbGc...Send another request to the httpbin app. This time, you include the JWT in the authorization header. Verify that the request succeeds and that you get back a 200 HTTP response code.
Example output:
HTTP/1.1 200 OK
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig oauth-jwt-validation -n httpbin
kubectl delete gloo-traffic-policy oauth-jwt-validation -n gloo-system