Validate JWT signature #33
Comments
|
@dcseifert we should do this by providing envoy as optional middleware to the Kelon System. Envoy could run as a sidecar or integrated and be configured by Kelon over its api. This would lead to us being able to use the rich envoy filterset. So here we could use for example the jwt verify step for different apis without having to rebuild essential logic. We should discuss this further. For example could Envoy be a better web proxy for Kelon. What do you think? |
|
@mkjoerg Sounds like a great idea! I'll start trying this go-library from coreos for JWT-Verifikation first |
|
@dcseifert As discussed, running a separate envoy will not help us here, so that is perfectly fine. |
|
@mkjoerg Should we stick to Auth-Providers with Black/Whitelisting of URLs, or should we add providers to already mapped URLs inside the api.yml like envoyproxy does here:
|
|
@dcseifert yes this would be a great way to configure this. The only thing I would recommend is adding an option to trigger on everything except. Like istio does it with trigger rules triggerRules:
- excludedPaths:
- prefix: /api...Details can be seen here: https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1/ |
Description
In order to keep the entire Authentication & Authorization logic away from the user of kelon, we need a simple possibility to check the signature of passed JWT-Tokens. In addition to that there must be the possibility to specify for each endpoint if it needs authentication or not.
Tasks
Outcome
Kelon unifies the entire auth process and bundles it into one enforcement point
The text was updated successfully, but these errors were encountered: