Everything within this section is only visible while editing. Use Page Properties ID "STUB", "REFACTURE", "PROGRESS", "rDEV", "rDOC", "rLANG" and "DONE".

Everything contained within the table is displayed in the (INTERNAL) Reports page.

Product Version	2020 Winter
Report Note
Assignee	Antje

Resources & Remarks

Links, Pictures, whatever

Modification History

Add a new line to this table and fill it whenever you edit the page.

Name	Date	Product Version	Action
Antje Oelschlägel	27 MAY 2021	2021 Summer	Page created and filled with content provided by Jerome.
Agnieszk	02 JUNE 2021	2021 Summer	rLANG

Configure the validation of the internal JSON Web Token that is used to authorize an API call reaching the individual services in the yuuvis® Momentum cluster.

The validation of internal JSON Web Tokens will be supported as of version 2021 Autumn.

Introduction

In order to prevent unauthorized access from outside by faking the JWT, as of version 2021 Autumn, its signature can be used for an additional validation of the caller's authorization. The validation is provided by the internal endpoint /authentication/jwt/verify of the AUTHENTICATION Service. In order to activate the validation, the endpoint has to be exposed manually.

Configuration and Usage of Validation

Expose the internal endpoint /jwt/verify/** in the profile authentication-prod.yml.

- endpoints: /jwt/verify/**
  expose: true

Restart the authentication pod.

The endpoint can now be called with the JWT in the authorization header:

curl --header 'Authorization: Bearer eyJraWQiOiJqd3Qtc2ln...' http://authentication/jwt/verify

If the signature of the JWT matches its header and payload, the validation will be successful and the response body contains true. If the validation fails, the response body contains false.

Customer-specific Keys for Signature

The AUTHENTICATION service uses a certificate for the signature of the internal JWTs. We recommend to replace our default certificate by a customer-specific key. To configure the usage of a customer-specific key (openssl is required), follow these steps:

Create a container with public and private key. The string jwt-signing-secret is used as alias and as file name for the container. It can optionally be replaced.

openssl genrsa -out jwt-signing-secret-key.pem
openssl req -new -x509 -days 3650 -key jwt-signing-secret-key.pem -out jwt-signing-secret-cert.pem -subj /C=DE/ST=DE-DE/L=jwt-signing-secret/CN=jwt-signing-secret
openssl pkcs12 -export -nodes -name jwt-signing-secret -inkey jwt-signing-secret-key.pem -in jwt-signing-secret-cert.pem -out jwt-signing-secret.p12

The files jwt-signing-secret-key.pem and jwt-signing-secret-cert.pem can be deleted.
Import the container file jwt-signing-secret.p12 as a Kubernetes secret in the yuuvis namespace.
Add the secret at any place in the file system of the authentication pod.
Note: After delivery, the container file is located at /yuuvis/jwt-signing-secret.p12 and can be replaced.

Add the following code block left aligned in the profile authentication-prod.yml and adjust the configuration according to the container file.

jwt.signing.keyStoreFile: '/yuuvis/jwt-signing-key.p12'
jwt.signing.keyStoreType: 'pkcs12'
jwt.signing.keyStorePassword: 'changeme'
jwt.signing.keyAlias: 'jwt-signing-key'
jwt.signing.keyPassword: 'changeme'

Restart the authentication pod.

Summary

Validate the internal JSON Web Token (JWT) by exposing the internal endpoint /authentication/jwt/verify of the AUTHENTICATION service. For the JWT generation, replace our default certificate by a customer-specific key.

Table of Contents

Introduction

Configuration and Usage of Validation

Customer-specific Keys for Signature

Summary

Read on

/wiki/spaces/YMY/pages/320051558

Access Authorization and Permissions

Authentication against the Core API