yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/asm/umn/asm_01_0097.html
Dong, Qiu Jian e743e7f7b8 ASM UMN update 20241012 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-10-18 07:32:37 +00:00

58 lines
12 KiB
HTML
Raw Blame History

<a name="asm_01_0097"></a><a name="asm_01_0097"></a>
<h1 class="topictitle1">Authenticating JWT Requests on the Ingress Gateway Using ASM</h1>
<div id="body0000001476967356"><p id="asm_01_0097__p93564210389">This section describes how to authenticate JWT requests on the ingress gateway using ASM to ensure that users access services through the ingress gateway with a reliable access token.</p>
<div class="section" id="asm_01_0097__section3564173202917"><h4 class="sectiontitle">Preparations</h4><ol id="asm_01_0097__ol15987183732917"><li id="asm_01_0097__li5987183718296">A service mesh of version 1.15 or 1.18 has been created.</li><li id="asm_01_0097__li1943518417306">The <strong id="asm_01_0097__b98651043464">httpbin</strong> service that passes the diagnosis exists in the mesh. The image is <strong id="asm_01_0097__b17441838124617">httpbin</strong>, the port protocol is <strong id="asm_01_0097__b3571124314612">HTTP</strong>, and the port number is <strong id="asm_01_0097__b171204715463">80</strong>.</li><li id="asm_01_0097__li14330133703019">An accessible gateway has been created for the <strong id="asm_01_0097__b1454812177479">httpbin</strong> service in the mesh.</li></ol>
</div>
<div class="section" id="asm_01_0097__section112090163819"><h4 class="sectiontitle">Creating JWT Authentication</h4><ol id="asm_01_0097__ol1660199171718"><li id="asm_01_0097__li116016915174"><a name="asm_01_0097__li116016915174"></a><a name="li116016915174"></a><span>Create a JWK.</span><p><ol type="a" id="asm_01_0097__ol5148943182011"><li id="asm_01_0097__li10148154317206"><a name="asm_01_0097__li10148154317206"></a><a name="li10148154317206"></a>Visit <a href="https://jwt.io/" target="_blank" rel="noopener noreferrer">JWT tool website</a>, set <strong id="asm_01_0097__b18235153518488">Algorithm</strong> to <strong id="asm_01_0097__b2950153715489">RS512</strong>, and obtain the public key (PUBLIC KEY).<div class="fignone" id="asm_01_0097__fig9556762255"><span class="figcap"><b>Figure 1 </b>Generating a public key</span><br><span><img id="asm_01_0097__image755613642519" src="en-us_image_0000001476967692.png"></span></div>
</li><li id="asm_01_0097__li157481253202315">Select <strong id="asm_01_0097__b94991017154919">PEM-to-JWK (RSA Only)</strong> in the <a href="https://8gwifi.org/jwkconvertfunctions.jsp?spm=a2c4g.11186623.0.0.79074d9bGGmlXG&amp;file=jwkconvertfunctions.jsp" target="_blank" rel="noopener noreferrer">JWK to PEM Convertor online</a> tool, enter the public key obtained in the previous step, and click <strong id="asm_01_0097__b1367965506">submit</strong> to convert the public key into a JWK.<div class="fignone" id="asm_01_0097__fig9353553117"><span class="figcap"><b>Figure 2 </b>Converting the public key to a JWK</span><br><span><img id="asm_01_0097__image441354311" src="en-us_image_0000001477287480.png"></span></div>
<pre class="screen" id="asm_01_0097__screen184612312322">{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3fa053","n":"u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw"}</pre>
</li></ol>
</p></li><li id="asm_01_0097__li20211184081913"><a name="asm_01_0097__li20211184081913"></a><a name="li20211184081913"></a><span>Create JWT authentication.</span><p><ol type="a" id="asm_01_0097__ol129001459163220"><li id="asm_01_0097__li1590065915326">Log in to the ASM console and click the name of the target service mesh to go to its details page.</li><li id="asm_01_0097__li01744105347">In the navigation pane, choose <strong id="asm_01_0097__b124721149102220">Service Management</strong>. In the upper right corner of the list, select the namespace that your services belong to.</li><li id="asm_01_0097__li5738817173416">Locate the <strong id="asm_01_0097__b62093281528">httpbin</strong> service and click <span class="uicontrol" id="asm_01_0097__uicontrol20550132215912"><b>Security</b></span> in the <strong id="asm_01_0097__b3931111425212">Operation</strong> column. In the window that slides out from the right, click <strong id="asm_01_0097__b197131514145310">JWT Authentication</strong> and then <strong id="asm_01_0097__b868332725315">Configure now</strong>. In the displayed dialog box, set the following parameters:<ul id="asm_01_0097__ul1484945763712"><li id="asm_01_0097__li38491757203715"><strong id="asm_01_0097__b1060944211555">Issuer</strong>: issuer of the JWT. Set this parameter to <strong id="asm_01_0097__b149141553559">test</strong>.</li><li id="asm_01_0097__li11162424386"><strong id="asm_01_0097__b1999113467552">Audience</strong>: JWT audiences who use the JWT token to access the target service. Set this parameter to <strong id="asm_01_0097__b2020314445616">ASM</strong>.</li><li id="asm_01_0097__li1469166123818"><strong id="asm_01_0097__b2746195010568">JWKS</strong>: JWT information. Set this parameter to <strong id="asm_01_0097__b11710820575">{"keys": [<em id="asm_01_0097__i1290611124570">JWK created in</em><em id="asm_01_0097__i1990613159613"> <a href="#asm_01_0097__li116016915174">1</a></em>]}</strong>. For example, if the JWK created in <a href="#asm_01_0097__li116016915174">1</a> is <strong id="asm_01_0097__b1492203805710">{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3****"}</strong>, the value of <strong id="asm_01_0097__b1447516459572">JWKS</strong> is <strong id="asm_01_0097__b1445155717576">{"keys": [{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3****"}]}</strong>.</li></ul>
<div class="fignone" id="asm_01_0097__fig206874290371"><span class="figcap"><b>Figure 3 </b>Creating JWT authentication</span><br><span><img id="asm_01_0097__image146881929123710" src="en-us_image_0000001528087425.png"></span></div>
</li><li id="asm_01_0097__li11652172314352">Click <strong id="asm_01_0097__b76407585623539">OK</strong>.</li></ol>
</p></li></ol>
</div>
<div class="section" id="asm_01_0097__section62018017388"><h4 class="sectiontitle">Checking Whether JWT Authentication Takes Effect</h4><ol id="asm_01_0097__ol194941050163811"><li id="asm_01_0097__li174941250183818"><a name="asm_01_0097__li174941250183818"></a><a name="li174941250183818"></a><span>Use <a href="https://jwt.io/" target="_blank" rel="noopener noreferrer">JWT tool</a> to encode the JWT request information into a JWT token.</span><p><p id="asm_01_0097__p119411751143916">Enter the following JWT request information in the <strong id="asm_01_0097__b429413161005">Decoded</strong> area. The automatically converted JWT token is displayed in the <strong id="asm_01_0097__b22823281105">Encode</strong> area.</p>
<ul id="asm_01_0097__ul923025224115"><li id="asm_01_0097__li1023055274118"><strong id="asm_01_0097__b38657281911">HEADER</strong>: Set <strong id="asm_01_0097__b16363931118">alg</strong> to <strong id="asm_01_0097__b16762733218">RS512</strong>, enter <strong id="asm_01_0097__b12441439018">kid</strong> in the JWK created in <a href="#asm_01_0097__li116016915174">1</a>, and set <strong id="asm_01_0097__b178322110215">typ</strong> to <strong id="asm_01_0097__b1721185216376">JWT</strong>.</li><li id="asm_01_0097__li1983313145427"><strong id="asm_01_0097__b1368371810310">PAYLOAD</strong>: Set <strong id="asm_01_0097__b455122732">iss</strong> to <strong id="asm_01_0097__b837817251735">test</strong> and <strong id="asm_01_0097__b1184212299319">aud</strong> to <strong id="asm_01_0097__b74883321333">ASM</strong>. Ensure that the values are the same as the issuer and token audience configured in <a href="#asm_01_0097__li20211184081913">2</a>.</li><li id="asm_01_0097__li146912111423"><strong id="asm_01_0097__b1842617581639">VERIFY SIGNATURE</strong>: The value must be the same as the public key in <a href="#asm_01_0097__li10148154317206">1.a</a>.</li></ul>
<div class="fignone" id="asm_01_0097__fig13104185815316"><span class="figcap"><b>Figure 4 </b>Creating a JWT token</span><br><span><img id="asm_01_0097__image1810565865315" src="en-us_image_0000001527927469.png"></span></div>
</p></li><li id="asm_01_0097__li44611647153914"><span>Access the <strong id="asm_01_0097__b46898231946">httpbin</strong> service through the ingress gateway.</span><p><ol type="a" id="asm_01_0097__ol18291029205515"><li id="asm_01_0097__li14829172955513">Run the following commands to access the service with the JWT token created in <a href="#asm_01_0097__li174941250183818">1</a>:<p id="asm_01_0097__p337115465013"><strong id="asm_01_0097__b124441850608">TOKEN</strong>=<em id="asm_01_0097__i18269175915518">JWT token created by the <a href="#asm_01_0097__li174941250183818">1</a></em>.</p>
<p id="asm_01_0097__p1678085545613"><strong id="asm_01_0097__b15821924900">curl -I -H "Authorization: Bearer $TOKEN" http://</strong> {<em id="asm_01_0097__i698018413619">External access address of the <strong id="asm_01_0097__b2415551268">httpbin</strong> service</em>}/</p>
<p id="asm_01_0097__p8210151013018">Expected outputs:</p>
<pre class="screen" id="asm_01_0097__screen582017142113">HTTP/1.1 200 OK
server: istio-envoy
date: Wed, 21 Sep 2022 03:11:48 GMT</pre>
</li><li id="asm_01_0097__li764415541567">Run the following command to access the service with an invalid JWT token:<p id="asm_01_0097__p21877251631"><a name="asm_01_0097__li764415541567"></a><a name="li764415541567"></a><strong id="asm_01_0097__b1136117351335">curl -I -H "Authorization: Bearer invalidToken" http://</strong> {<em id="asm_01_0097__i724715363711">External access address of the <strong id="asm_01_0097__b398134419719">httpbin</strong> service</em>}/</p>
<p id="asm_01_0097__p114322036233">Expected outputs:</p>
<pre class="screen" id="asm_01_0097__screen19621138420">HTTP/1.1 401 Unauthorized
www-authenticate: Bearer realm="http://***.***.***.***:***/", error="invalid_token"
content-length: 145
content-type: text/plain
date: Wed, 21 Sep 2022 03:12:54 GMT
server: istio-envoy
x-envoy-upstream-service-time: 19</pre>
</li><li id="asm_01_0097__li178821323735">Modify the JWT authentication created in <a href="#asm_01_0097__li20211184081913">2</a>, leave the <strong id="asm_01_0097__b53443515918">aud</strong> empty (indicating that the service can be accessed by any services), and run the following command to access the service with the JWT token created in <a href="#asm_01_0097__li174941250183818">1</a>:<p id="asm_01_0097__p1160993014289"><strong id="asm_01_0097__b7609163032812">curl -I -H "Authorization: Bearer $TOKEN" http://</strong> {<em id="asm_01_0097__i16721182118910">External access address of the <strong id="asm_01_0097__b7167271192">httpbin</strong> service</em>}/</p>
<p id="asm_01_0097__p98464912284">Expected outputs:</p>
<pre class="screen" id="asm_01_0097__screen9316145914283">HTTP/1.1 200 OK
server: istio-envoy
date: Wed, 21 Sep 2022 03:20:07 GMT</pre>
</li><li id="asm_01_0097__li588295310563">Run the following command to access the service without the JWT token:<p id="asm_01_0097__p1456620893014"><a name="asm_01_0097__li588295310563"></a><a name="li588295310563"></a><strong id="asm_01_0097__b13631543133011">curl -I http://</strong> {<em id="asm_01_0097__i203231251181018">External access address of the <strong id="asm_01_0097__b119041545107">httpbin</strong> service</em>}/</p>
<p id="asm_01_0097__p272145393019">Expected outputs:</p>
<pre class="screen" id="asm_01_0097__screen573171914314">HTTP/1.1 403 Forbidden
content-length: 85
content-type: text/plain
date: Wed, 21 Sep 2022 03:29:31 GMT
server: istio-envoy
x-envoy-upstream-service-time: 6</pre>
</li></ol>
<p id="asm_01_0097__p163452113323">According to the preceding outputs, the request with the correct JWT token can access the service, and the request with an incorrect JWT token or without a JWT token cannot access the service. This means the request identity authentication takes effect.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0087.html">Security</a></div>
</div>
</div>
View Git Blame Copy Permalink