Skip to content
home
2.1.x
Security
External authentication and authorization
OAuth
You are viewing the latest documentation for Solo Enterprise for kgateway, formerly known as Gloo Gateway. To access the documentation for older Gloo Gateway versions, such as 2.0 and 1.x, use the version switcher.

Access token validation

Page as Markdown
Validate access tokens from an external identity provider.
For more information or other OAuth options, see the OAuth about page.
Before you begin

  1. Follow the Get started guide to install Solo Enterprise for kgateway.
  1. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
  1. Get the external address of the gateway and save it in an environment variable.
    export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/http -n kgateway-system 8080:8080
Step 1: Set up your Identity Provider

Set up an OpenID Connect (OIDC) compatible identity provider (IdP).
For example, you can use Keycloak as an IdP.
Step 2: Enforce access token validation

Use AuthConfig and EnterpriseKgatewayTrafficPolicy resources to apply the auth rules to the routes that you want to secure with access token validation.
  1. Create an AuthConfig resource with your access token validation rules. The following example uses JWT validation and an inline JWKS server to provide the JWT. For more access token validation options, see the Gloo Edge API docs. For more information about JWTs, see the JWT guide.
    kubectl apply -f- <<EOF
apiVersion: extauth.solo.io/v1
kind: AuthConfig
metadata:
  name: oauth-jwt-validation
  namespace: httpbin
spec:
  configs:
  - oauth2:
      accessTokenValidation:
        jwt:
          localJwks:
            inlineString: >-
              $KEYCLOAK_CERT_KEYS
EOF
    Review the following table to understand this configuration.
    FieldDescription
    oauth2.accessTokenValidation.jwtSet up the OAuth policy to validate access tokens that conform to the JSON Web Token (JWT) specification.
    localJwks.inlineStringEmbed a local JWKS as a string, based on the value that you retrieved when you set up your IdP.
  2. Verify that the AuthConfig is in an Accepted state.
    kubectl get authconfig oauth-jwt-validation -n httpbin -o yaml
    If you see a REJECTED error similar to invalid character 'k' looking for beginning of object key string, try copying the $KEYCLOAK_CERT_KEYS value manually again.
  3. Create an EnterpriseKgatewayTrafficPolicy resource that refers to the AuthConfig that you earlier. The following policy applies external auth to all routes that the Gateway serves.
    kubectl apply -f - <<EOF
apiVersion: enterprisekgateway.solo.io/v1alpha1
kind: EnterpriseKgatewayTrafficPolicy
metadata:
  name: oauth-jwt-validation
  namespace: kgateway-system
spec:
  targetRefs:
    - name: http
      group: gateway.networking.k8s.io
      kind: Gateway
  entExtAuth:
    authConfigRef:
      name: oauth-jwt-validation
      namespace: httpbin
EOF
Step 3: Verify access token validation

Send various requests to verify that API key auth is enforced for your routes.
  1. Send a request to the httpbin app without an access token. Verify that your request is denied and that you get back a 403 HTTP response code.
    curl -i http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: www.example.com"
    curl -i localhost:8080/status/200 -H "host: www.example.com"
    Example output:
    HTTP/1.1 403 Forbidden
  2. Generate an access token from your IdP, such as with the following command for Keycloak. If you get a 404 response, verify that the Keycloak URL and client credentials are correct. Common errors include using a different realm.
    export USER1_TOKEN=$(curl -Ssm 10 --fail-with-body \
-d "client_id=${KEYCLOAK_CLIENT}" \
-d "client_secret=${KEYCLOAK_SECRET}" \
-d "username=user1" \
-d "password=password" \
-d "grant_type=password" \
"$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" |
jq -r .access_token)
    echo $USER1_TOKEN
    Example output:
    eyJhbGc...

  3. Send another request to the httpbin app. This time, you include the JWT in the authorization header. Verify that the request succeeds and that you get back a 200 HTTP response code.
    curl -i http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: www.example.com" \
-H "Authorization: Bearer $USER1_TOKEN"
    curl -i localhost:8080/status/200 -H "host: www.example.com" -H "Authorization: Bearer $USER1_TOKEN"
    Example output:
    HTTP/1.1 200 OK
Cleanup

You can optionally remove the resources that you set up as part of this guide.
kubectl delete authconfig oauth-jwt-validation -n httpbin
kubectl delete EnterpriseKgatewayTrafficPolicy oauth-jwt-validation -n kgateway-system
About OAuthAuthorization code