kubeshop / kusk-gateway

Kusk-gateway is an OpenAPI-driven API Gateway for Kubernetes
https://kubeshop.github.io/kusk-gateway/
MIT License
268 stars 20 forks source link

Private Key JWT or howto authn to API backend? #1048

Open s0l4r opened 1 year ago

s0l4r commented 1 year ago

Hello,

I am trying to integrate our private backend API (FastAPI) with Kusk Gateway with Zitadel, but I haven't been able to make it work.

Are there any plans to support Private Key JWT in Kusk Gateway, so that it could be used between Kusk API Gateway and a backend API (machine to machine) ? Or is it already supported, but I don't understand how it works?

See: https://oauth.net/private-key-jwt/ https://www.rfc-editor.org/rfc/rfc7523 https://cloudentity.com/developers/basics/oauth-client-authentication/private-key-jwt-client-authentication/ https://developer.okta.com/docs/guides/build-self-signed-jwt/java/main/#build-a-jwt-with-a-private-key

It is different from client_secret authentication, see: https://oauth.net/2/client-authentication/

Using Private Key is the recommended authn method for API's in Zitadel: https://zitadel.com/docs/apis/openidoauth/authn-methods#jwt-with-private-key https://zitadel.com/docs/guides/manage/console/applications#api

In this scenario, no client_secret is entered but an RSA private key that the JWT is signed with in my understanding.

So far in Kusk, I cannot see an option to provide a private key in the configuration for JWT.

The required steps to get this working is:

As we are using an SPA (Single Page Application), we don't want to store the client_secret on the client side, so my thought was that the clients use Authorization Code with PKCE flow, and for all API requests made by the client to Kusk Gateway. Then use a private key machine to machine between Kusk Gateway and in our case Zitadel for the API authn.

I will attach a diagram (which is somewhat incomplete and might have missed a few steps. I am sure it's incorrect too, but for now I am trying different flows to get it working. This is how I vision it to work at the moment:

Screenshot 2023-02-10 at 14 39 50

My issue is with step 7,8,9 at the moment, where my private API is not authenticated at all, but the Kusk Gateway does (either using private key or client_secret), forwards the request to the backend, and the backend returns the data to the user.

If anyone has any experience using Kusk Gateway and Zitadel, or is willing to try it out, I would be very happy to hear your comments!

Thanks!

aabedraba commented 1 year ago

Thanks for opening the issue @s0l4r !

We currently don't support private key with the JWT extension. We were actually thinking of adding it.

To unblock you, I believe you'll find the Custom Auth Upstream helpful to solve this problem. Basically, it allows you to write an auth service in whichever language you want and have it integrated with Kusk Gateway. That way, you can really achieve maximum customization with the way you setup auth.

I actually added a Firebase JWT authN example today that could be helpful to look at: https://github.com/kubeshop/kusk-examples/tree/main/with-firebase

Let me know if this solves your problem!