►
Description
With the spread of micro services, it becomes a best practice to manage the authentication at the Edge (using an API gateway) instead of implementing it independently for each service. But this approach also introduces new challenges:
- how does the application know who the user is ?
- how can the application get more information about the user ?
- how can the application force a logout ?
- what about the authorization ?
In this talk, Denis will cover the different authentication mechanisms (OAuth, JWT, ...) and show how to overcome these challenges with practical examples and demos (passing user information using headers generated from claims, performing authorization with OPA, ...).
B
Hi
everyone
welcome
to
this
session
about
advanced
authentication
patterns
at
the
edge.
I
am
donijano
director
of
field
engineering
in
emea
at
solo.io.
So,
let's
start
with
a
little
bit
of
background.
Obviously
all
of
you
are
aware
that
applications
are
now
like
developed
with
micro
services,
and
I
would
say
that
most
of
you
will
agree
that
these
micro
services
tends
to
now
run
on
cubans
clusters
and
one
of
the
first
questions.
People
are
asking
as
soon
as
they
start
to
deploy
the
application
on
kubernetes
is.
B
How
do
I
expose
my
application
to
the
outside
world
and
the
standard
answer
for
that
in
the
kubernetes
world
is
to
use
an
ingress
controller
like
nginx
or
hp
proxy,
or
something
like
that
and
it
works
like
it.
You
can
expose
your
service,
you
can
secure
it
with
tls.
You
can
do
some
basic
routing,
but
very
quickly.
We
have
more
and
more
applications
deployed
in
the
cubans
cluster
and
each
team
reinvents
the
wheel
in
terms
of
managing
the
authentication,
for
example.
B
So
you
have
like
one
application
that
wants
to
secure
the
access
with
or2
another
one
want
to
use
like
jot
tokens.
Another
one
want
to
use
like
api
keys
or
even
like
a
mix
of
different
options,
and
they
also
need
some
capabilities
that
you
generally
find
in
a
traditional
api
gateway
that
runs
outside
of
kubernetes,
some
things
like
rate
limiting
web
application,
firewall
and
and
so
on.
B
Basically
any
information
that
you
get
from
a
claim
that
is,
in
the
token
provided
by
the
end
user
or
the
job
token
returned
by
the
old
provider,
for
example.
And
what's
nice
as
well,
is
that
these
kubernetes
api
gateways
they
can
generally
do
much
more
than
just
authentication
right,
so
we
can
do
like
right,
limiting
waff,
but
also
like
things
like
transformation
and
so
on,
and
you
will
see
I
will
do
like
multiple
demos
to
to
try
to
to
demonstrate
that
in
a
nice
way.
B
These
api
gateways
can
also
be
used.
They
can
run
inside
the
qs
cluster,
but
still
be
used
to
expose
applications
running
in
legacy
environment
like
in
vms,
for
example.
They
can
also
be
used
to
expose
modern
services
running
in
functions
like
in
in
london,
for
example,
they
can
discover
these
lambda
functions
and
and
expose
them
to
the
outside
world.
B
B
So
in
that
talk,
I
will
focus
on
our
kubernetes
native
api
gateway,
which
is
called
glue
edge
and
blue
edge
is
based
on
envoy.
I
am
sure
that
most
of
you
are
familiar
with
with
envoy,
and
I
will
speak
about
it
like
in
a
minute,
but
basically
glue
edge
is
like
a
management
plane,
a
control
plane,
sorry
for
envoy
and
android
is
the
data
plane
and
you
configure
everything.
B
As
I
said,
through
custom
resources
in
kubernetes
blue
edge
reads
this
configuration
and
translate
that
into
envoy
configuration,
and
if
you
look
at
the
architecture
you
see
on
the
on
the
left,
the
envoy
piece,
and
you
see
these
different
boxes
that
represent
filters.
So
in
envoy
a
request
comes
in
and
it
goes
through
a
filter
chain
and
each
filter
in
the
chain
can
modify
the
request
in
one
way
or
another.
So,
for
example,
the
request
comes
in
and
you
want
to
perform
authentication.
B
Then
this
filter
will
not
perform
the
authentication
by
itself,
but
it
will
call
an
external
authentication
server
that
will
perform
the
authentication
and
say
yes
or
no.
Do
I
want
to
accept
or
not
this
call
the
same.
If
it's
accepted
it
can
go
through
a
rate
limiting
filter
that
will
color
write
limit
server
that
will
define
if
the
limit
is
rich
generally,
this
server
and
it's
what
we
do
in
blue
edge
is
using
like
redis
to
persist
information
about
the
request
and
to
be
able
to
determine
if
the
limit
is
is
rich.
B
And
then
there
are
like
many
things
that
can
be
done
directly
in
envoy.
In
the
filter,
without
even
calling
like
an
external
component
and
that's
what
we
we
have
done
like,
we
have
created
like
a
filter
for
interacting
with
lambda
function,
another
one
for
performing
transformation,
another
one
for
revolution,
firewall
for
ju
out
joe's
authentication.
We
don't
use
the
external
audition
server
for
that.
We
will
perform
that
directly
in
envoy,
so
we
there
is
like
an
open
source
version
of
glue
edge.
B
But
if
you
use
the
open
source
version,
then
you
have
to
build
your
own
external
authentication
server,
your
own
right,
limiting
server,
and
you
don't
get
all
these
filters.
You
get
some
of
them,
but
you
don't
get
like
the
web
option
firewall
or
jot,
and
basically
everything
that
is
really
related
to
security
is
in
the
enterprise
version
and
that's
what
I
will
use
in
in
the
demo.
B
B
B
B
Basically,
this
is
what
I
mean
right,
so
you
will
define
in
a
virtual
service
custom
resource
which
domain
you
want
to
listen
to
like
here.
I
say
I
have
a
request,
starting
by
slash
app
one.
I
want
to
perform
authentication
and
the
authentication
is
defined
in
this
external
object
and
I
want
to
delegate
the
action
to
this
root
table
so
that
the
team
can
be
responsible
for
managing
a
specific
domain.
B
Then
the
application
team
can
manage
all
the
different
paths
like
they
can
have
different
routes
for
different
micro
services
and
so
on,
and
then
you
can
use
like
an
external
object
to
to
define
the
way
you
want
to
authenticate
the
user.
And
you
see
here
we
have
a
simple
example
with
over.
Will
we
will
go
through
that
in
the
demo,
but
you
can
also
chain
together
multiple
steps
in
the
configure,
and
we
will
also
see
that
at
the
at
the
end.
So.
B
Okay,
so
in
this
environment
I
have
a
cubans
cluster,
and
if
I
look
at
my
pods,
I
can
see
that
I
have
this
glue
system
namespace,
where
I
have
different
components.
Some
of
them
are
optional
and
I
won't
go
through
the
full
details.
But
basically,
what
you
have
to
remember
is
that
get
the
gateway
proxy
pod
is
envoy.
B
B
So
what
I'm
going
to
do
here
is
that
I
deployed
the
key
clock
already
and
in
this
server,
and
I
will
configure
it
just
like
with
these
few
commands,
and
you
see
it
will
create,
like
a
user
one
with
the
password
password
and
another
user
tool
with
the
same
password,
but
they
will
have
two
different
email
addresses
right.
You
see
the
first
one
as
an
email
address
that
finished
by
solo.io,
while
the
second
one
has
an
email
that
finished
by
example.com
right.
B
So
it
looks
like
that
I
have
like
blue
edge
and
that
will
use
keyclock.
You
know
for
the
authentication,
so
I
can
create
like
a
kubernetes
secret,
that
contain
my
key
clock
secret,
and
then
I
create
this
odd
config
that
I
spoke
about
before
so
in
this
odd
config.
You
can
see
that
I
have
like
the
url
of
my
application,
the
url
of
key
clock.
You
know
just
like
basic
information
about
how
to
contact
and
interact
with
with
key
clock,
and
then
I
have
my
virtual
service.
B
You
remember.
I
described
that
just
before
it's
one
of
the
most
important
custom
resource
in
glue
edge
and
you
can
see
here.
I
will
add
this
option
to
it.
So
to
say,
when
I
have
a
request
with
starting
by
slash,
then
I
want
to
send
the
request
to
the
book
info
product
page
and
I
want
to
perform
authentication
using
the
hot
config
that
I
have
like
just
created
before
so
now.
If
I
open
like
chrome,
I
will
see
you
know.
B
I
have
ssl
here
and
I
can
authenticate
with
user
one
in
the
password
password
and
I
have
access
to
my
application.
So
you
see
it's
very
easy.
I
was
able
to
configure
it
it's
a
very
simple
case.
Right,
I
just
want
to
to
secure
the
access
with
or2,
but
there
will
be
at
the
end.
I
will
show
you
like
something:
a
little
bit
more
advanced
and
even
using
like
authorization
and
so
on.
But
before
that
I
want
to
show
you
also
a
few
other
capabilities
that
we
discussed
before.
B
B
B
Config,
like
we
created
the
art
config
before,
and
in
that
case
I
I
reference
the
red
limit
config
here,
so
I
know
that
it's
applied
to
this
root
and
you
see
you
can
do
it
here
at
the
root
level
and
that
will
apply
only
to
this
root,
but
I
could
put
this
option
at
the
domain
level
and
then
it
will
apply
to
all
the
roots.
So
we
have
like
a
lot
of
flexibility
here.
B
So
if
I
just
like
refresh
many
times
you
see
after
10
times,
I
get
this
429
response
codes,
meaning
that
I've
been
rate
limited
right.
So
I
can,
you
know,
delete
this
basic
rate
limit
config,
and
here
I
can
update
it
and
you
know
give
also
like
different
options
depending
if
I
am
like
authenticated
or
not
right,
I
would
say
if
I
am
an
anonymous
user,
I
want
to
have
like
just
five
requests
per
minute,
but
if
I
am
authenticated,
then
I
can
have
like
20
requests
per
minute.
B
So,
as
I
said,
you
can
have
granularity
about.
You
know
different
editors
of
combination
or
you
can
have
like.
Also
this
option
where
you
you
set
like
different
rules
for
different
users
or
different
rules
for
authenticated,
not
authenticated.
You
see
here.
I
am
not
not
authenticated
and
I
get
like
this
rate
limit
after
just
five
requests,
and
another
thing
we
spoke
about
before
is
like
a
web
application
firewall
right.
So
what
we
did
is
that
we
took
mod
security,
which
is
very
popular
and
we
put
it
inside
an
envoy
filter.
B
B
You
know
bigger
than
one
byte
right,
so
it's
just
like
for
demo
purpose.
Obviously,
but
you
see
it's
an
example:
you
can
limit
the
size
of
the
payload,
you
can
white
list,
some
ip
addresses
range,
or
you
know
this
kind
of
things
right.
So
now,
if
I
run
the
curl
command-
and
I
just
like
send
a
body
request
right
with
some
data-
it
will
be
directly
bigger
than
one
byte
right
and
you
see
I
get
this
error
right.
I
I
get
it's
refused
and
I
get
an
error
message
telling
me.
B
You
know
why
it
has
been
rejected
by
my
web
option
firewall.
There
could
be
other
options
like
you
could
block
certain
user
agents,
for
example
right.
So
if
I
have
a
user
agent
header
with
a
value
scanner,
then
I
want
to
reject
it
right.
So
again,
I
just
send
like
a
curl
request
with
this
user
agent
and
I
am
blocked
by
web
application
firewall.
You
have
like
a
lot
of
different
options.
I'm
just
like
giving
you
like
a
very
quick
overview.
B
B
So
here
you
see,
I
got
this
like
modified
response,
so
that's
just
an
example
right
you
can.
You
can
do
whatever
you
want
in
term
of
transforming
the
request,
header
request,
a
response,
adder
response
body
and,
and
things
like
that
right
we
can
also
like
define
where
we
want
to
do
this
transformation.
So
now,
sometimes
it's
nice
to
do
transformation
before
we
do
authentication
or
after
we
do
authentication
or
things
like
that
right.
So
here
we
have
what
we
call
an
early
transformation.
So
that
applies
before
the
authentication
right.
B
I
will
transform
the
the
response
and
I
will
add
this
json
content
type,
and
I
will
you
know,
change
the
the
body
as
well
right,
so
I
can
just
go
there
and
if
I
you
know
like,
if
the
status
is
401
right,
I
can
simulate
that
because
I
use
the
http
bin.
So
I
want
to
get
a
421,
so
I
just
have
to
call
this
right
and
you
see
the
the
transformation
here
right
that
is
happening.
B
While,
if
I
run
like
a
normal
request
with
like
the
code
200
right,
it
will
not
like
perform
any
transformation
right.
We
we
have
like
a
another
example
where
we
can
take
the
data
from
another
editor
using
like
a
regular
expression
and
create
a
new
editor
based
on
the
value
we
got
from
the
regular
expression
right.
B
So
you
can
see
here
we
can
have
in
the
request,
like
a
header
called
x,
my
initial
header-
and
it
has
this
format
bearer
and
something
right,
and
there
is
the
regular
expression
here
and
we
want
to
create
a
new
editor
with
just
the
value
here.
We
want
to
remove
beer
basically
right,
so
that
could
be
very
nice
when
you
want
to
maintain
compatibility
right.
B
B
So
you
see
here
we
say
we
want
to
use
the
jot
filter
so
that
we
take
the
email
claim
that
is
returned
by
in
the
jot
token
after
we
authenticate
with
key
clock,
and
I
want
to
create
a
new
header
called
x,
solo
claim
email
for
that
right.
So
we
do
that
for
just
updating
again
the
service,
and
if
I
refresh
my
my
token
here,
like
my
page
sorry
so
you
can
see
here
now,
I
have
this
x
solo
claim
email
that
is
received
by
the
backend
application.
B
So
you
remember,
we
do
the
application
at
the
gateway
level,
but
now
it's
important
also
for
the
backend
application
to
know
who
is
the
user
that
has
been
authenticated
right
so
now.
It
knows
it
right,
so
it
doesn't
have
to
be
from
the
authentication,
but
you
still
need
to
know
in
many
cases
who
has
been
authenticated
right.
So
that's
a
a
very
typical
use
case
and
then
we
can
also,
as
I
said,
chained
together
several
steps
in
the
hot
config
right.
B
So
we
did
like
create
a
hot
config
where
we
want
to
do
authentication
with
key
clock
here,
but
we
can
also
have
a
second
step
which
is
performing
auto
authorization
with
opa.
So
we
just
like
update
the
autoconfig
and
we
don't
need
an
opa
server.
This
is
what's
really
nice.
We
use
basically
the
opa
library
directly
in
our
external
authentication
service
so
that
you
just
need
to
provide
the
rego
policy
in
a
config
map.
B
B
B
A
I
just
want
to
stop
by
apologizing
for
the
video
quality
during
the
video
this
during
the
stream.
Denis
has
actually
posted
his
video
in
the
slack
channel.
So
if
you
want
to,
in
the
short
term,
have
a
look
at
any
of
the
command
line
or
terminal
in
in
a
higher
resolution,
and
you
can
do
that,
we
will
also,
when
we
post
this
recording
afterwards
on
youtube.
It
will
be
in
a
higher
resolution
as
well.
So
apologies
for
the
technical
issues
that
we
had
with
the
stream.
A
B
Yeah,
like
always
on
slack
right
and
you
can
find
me
in
the
cncf
slack
or
in
the
solo
slack,
so
don't
edit
to
come
here.
As
you
said,
you
know,
I
gave
the
link
for
the
recording,
so
perhaps
it
will
be
easier
to
have
questions
after
you
watch
it
with
seeing
all
the
command
lines
and
all
the
stuff,
so
don't
hesitate
to
take
the
time
to
watch
it
and
come
and
ping
me
on
either
the
cncf
slack
or
the
sort
of
slack,
and
I
will
I
would
be
happy
to
to
answer
any
question
there.