Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup krakend jwt validation with backend on another IdP #440

Closed
dusatvoj opened this issue Mar 17, 2022 · 3 comments
Closed

Setup krakend jwt validation with backend on another IdP #440

dusatvoj opened this issue Mar 17, 2022 · 3 comments
Labels
locked question

Comments

@dusatvoj
Copy link

Describe what are you trying to do
I have an API from external provider which has single credentials and IP lock. So I'm creating an API GW using krakend. I want to krakend login into external api and give me the data. BUT I don't want it publicly accessible. I have a keycloak which I want to use for "frontend side" of my API GW and krakend has turned on JWT validation.

The problem I'm facing now is that I don't have to use any token to access the API. In logs is:

[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO Starting the KrakenD instance
[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO [ENDPOINT: /usermap/:obj/:req][JWTValidator] Validator disabled for this endpoint
[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO [ENDPOINT: /usermap/:obj][JWTValidator] Validator disabled for this endpoint

... even when I have github.com/devopsfaith/krakend-jose/validator in krakend extra config.

Your configuration file
The content of your krakend.json. When using the flexible configuration option, the computed file can be generated using FC_OUT=out.json

{
  "version": 3,
  "host": [ "https://api-test.example.com" ],
  "timeout": "3000ms",
  "cache_ttl": "300s",
  "output_encoding": "json",
  "name": "nothing interesting",
  "port": 8080,
  "extra_config": {
    "github_com/devopsfaith/krakend-gologging": {
      "level":  "INFO",
      "prefix": "[KRAKEND]",
      "syslog": false,
      "stdout": true
    }
  },
  "endpoints": [
    {
      "endpoint": "/usermap/{obj}",
      "input_query_strings":["*"],
      "querystring_params":["*"],
      "backend": [
        {
          "url_pattern": "/usermap/{obj}",
          "extra_config": {
		"github.com/devopsfaith/krakend-jose/validator": {
                   "alg": "RS256",
                   "jwk_url": "https://example.org/auth/realms/realm/protocol/openid-connect/certs",
                   "cache": true,
		   "cache_duration": 300,
		   "scopes_matcher": "all",
		   "scopes": ["apigw-test"],
		   "operation_debug": true
               },
		"backend/http": {
			"return_error_details": "from_backend"
		},
		{{ include "secrets/secrets.json" }}
          }
        }
      ]
    },
    {
      "endpoint": "/usermap/{obj}/{req}",
      "input_query_strings":["*"],
      "querystring_params":["*"],
      "backend": [
        {
          "url_pattern": "/usermap/{obj}/{req}",
          "extra_config": {
		"backend/http": {
                   "return_error_details": "from_backend"
		},
		"github.com/devopsfaith/krakend-jose/validator": {
                   "alg": "RS256",
                   "jwk_url": "https://example.org/auth/realms/realm/protocol/openid-connect/certs",
                   "cache": true,
		   "cache_duration": 300,
		   "scopes_matcher": "all",
		   "scopes": ["apigw-test"],
		   "operation_debug": true
               },
		{{ include "secrets/secrets.json" }}
          }
        }
      ]
    }
  ]
}

secrets.json has inside the github.com/devopsfaith/krakend-oauth2-clientcredentials with client_credentials grant type and secrets + github.com/devopsfaith/krakend-martian for headers like Accept

Commands used
How did you start the software?

version: '3.9'
services:
  krakend_test:
    container_name: krakend_test
    image: devopsfaith/krakend:2.0
    deploy:
      restart_policy:
        condition: any
      resources:
        limits:
          cpus: '1.0'
          memory: 1GB
    ports:
      - "8080:8080"
    volumes:
      - "/srv/krakend/test:/etc/krakend:ro"
    environment:
      FC_ENABLE: "1"
      FC_TEMPLATES: "/etc/krakend/"
    healthcheck:
      test: ["CMD","curl","http://krakend_test:8080/__health"]
      timeout: 10s
      retries: 5

Logs

[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO Starting the KrakenD instance
[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO [ENDPOINT: /usermap/:obj/:req][JWTValidator] Validator disabled for this endpoint
[KRAKEND] 2022/03/17 - 23:20:55.348 ▶ INFO [ENDPOINT: /usermap/:obj][JWTValidator] Validator disabled for this endpoint

... even without token:

# curl -i http://localhost:8080/usermap/smth
HTTP/1.1 200 OK

Thx for help
@dusatvoj dusatvoj mentioned this issue Mar 28, 2022
Closed
@taik0
Copy link
Member

taik0 commented Mar 28, 2022

Hi @dusatvoj,

That error only appears when no configuration is provided.
The validator configuration should be at endpoint level and you have it in the backend section.

@dusatvoj
Copy link
Author

Yes, that was the problem 🙃 . Thank you so much @taik0

@github-actions
Copy link

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@taik0 @dusatvoj