I'm new to this ingress and Nginx so sorry if the question seems to be simple. :-)
So here goes my requirement/problem statement:
Have an API service with a JWT token for Authorization and the API service is in an Open network as well.
So now my requirement is when I open this URL(https://abcd.com/swagger-ui/index.html ) in the browser it is available. And i would need to block this URL alone to be accessed only with basic authentication
The application is running in kubernetes. And I tried to configure it our deployment.yaml file by making configuration changes using Ingress.
Any help is appreciated, thanks in advance.
I hope my requirement is made clear. :-P
Related
I'm working upon a project which have multiple microservices for the restful APIs (Tech: NodeJS) which are running inside a single Docker container. So here I'm facing the issue to validate the AUTH Token. So can anyone help me to provide the best solution of this issue. A small guide will also be helpful.
Thank You,
I tried to check valid AUTH token inside each and every microservice. Which is not looking a good idea.
I'm using traefik as a reverse proxy. I want to set OAuth2 authentication for a entry point.
In the document, I found the Forward Authentication which I think may be useful for this. But the document is just too simple
This configuration will first forward the request to http://authserver.com/auth.
If the response code is 2XX, access is granted and the original request is performed. Otherwise, the response from the authentication server is returned.
I've no idea how can I achieve authentication OAuth2 within a forwarding?
I've tried oauth2_proxy but didn't find a solution.
In this issue/comment guybrush provided a solution. But that, in fact, was a double reverse proxys.
I've recently built an app for this: https://github.com/thomseddon/traefik-forward-auth
It uses Forward Authentication, as you mentioned, and uses Google OAuth to authenticate users.
There's an example Docker Compose setup here: https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose.yml. See the traefik.toml file to see how Traefik is configured to point at the app.
Let me know if it is helpful!
Instead of trying to make Traefik support your case, let Traefik do what it does best and instead use Keycloak Gatekeeper for authentication (and potentially authorization).
This would change your setup from
Client -- Traefik -- Service
to
Client -- Traefik -- Gatekeeper -- Service
This means that both Traefik and Gatekeeper act as reverse proxy.
It's incredibly simple to model complex auth setups with this approach. One potential drawback is however the additional RP layer, so for high performance setups this may not be an ideal solution.
Note that Gatekeeper can work with any OIDC compatible IdP, so you don't have to run Keycloak to use it.
I am writing a set of Puppet modules that deploy WSO2 ESB & Identity Service and the API & authentication services we are providing to a client.
For the most part, I have been able to figure out which XML config files I need to update to automatically configure the WSO2 product.
However, I can't work out how to automatically provision an OAuth2 service provider via the config files. I can create and successfully use an OAuth2 service provider through the Identity Service mgmt console, however I'd really rather not have to do that as a manual step when my aim is to configure a set of machines using Puppet to automatically provision an OAuth2 provider.
To confirm, screenshot of the UI below that I am trying to apply settings for via an XML config file, rather than having to do it in the UI:
After some googling, is the correct directory /repository/conf/identity/service-providers?
If so, could somebody point me in the direction of an example where this is used for configuring an OAuth2 service provider?
If not, any more pointers would be gratefully received!
Many thanks
Chris
In case of searching configuration file for adding OAuth configuration without management console UI, you are in the right place. As you specified you can use the configuration in /repository/conf/service-providers/default.xml.
When you add service provider you have to call IdentityApplicationManagementService. You can use IdentityApplicationManagementServiceStub to call IdentityApplicationManagementService. When you add OAuth configuration you have to call OAuthAdminService. You can use OAuthAdminServiceStub to call OAuthAdminService. After creating the service provider and OAuth configurations separately, you have to bind service provider with created OAuth configs.
Note that I will recommend to check the source code in UI classes which used to add service providers, OAuth configs and binding those two. Hope this helps.
I'm trying to implement an OAuth2 provider for my web service.
It seems easier to implement the Authentication Server together with the Resource Server. The specification doesn't say anything about the communication between them.
Does anybody see a reason not to do this?
I had a post yesterday regarding this issue. I hope we can mutual answer each other. First to directly answer your question, I think it depends very much on the load that your app has to handle. If you have to scale your app to many resource servers, keeping a separate auth server is the best because you can centrally manage user credentials and access_token in one place.
Here is my question. I believe if you have tried something similar to mine, you can give me some suggestions.
OAuth - Separating Auth Server and Resource server returns invalid token when accessing protected resource
How can I expose the wsdl through WSO2 governance registry. I have promoted the service lifecylce through to production and was hoping to get an URL some which I can share with the service consumers for discovering the service and the contract. Any pointers are appreciated.
Update: "URL some " is a typo.. apologies. In a nutshell I am unable to comprehend how to accomplish UDDI / WS-Discovery aspects with instructions in the document. I am simply looking to expose the wsdl through a url such as this "host:port/services/environment/myservice?wsdl" and would like to have the flexibility of managing service endpoints for each environment. I have a client which has to discover the wsdl's dynamically and i am figuring out ways to expose it to them. In the process, stumbled upon the wso2 product and trying to figure out.
You can use ws-discovery
another option is , you can use UDDI registry to find your services..