Validating Internal JSON Web Tokens
Configure the validation of the internal JSON Web Token that is used to authorize an API call reaching the individual services in the yuuvis® Momentum cluster.
Preview
The validation of internal JSON Web Tokens will be supported as of version 2021 Autumn.
Table of Contents
Introduction
In order to prevent unauthorized access from outside by faking the JWT, as of version 2021 Autumn, its signature can be used for an additional validation of the caller's authorization. The validation is provided by the internal endpoint /authentication/jwt/verify
of the AUTHENTICATION Service. In order to activate the validation, the endpoint has to be exposed manually.
Configuration and Usage of Validation
Expose the internal endpoint /jwt/verify/**
in the profile authentication-prod.yml.
- endpoints: /jwt/verify/** expose: true
Restart the authentication
pod.
The endpoint can now be called with the JWT in the authorization header:
curl --header 'Authorization: Bearer eyJraWQiOiJqd3Qtc2ln...' http://authentication/jwt/verify
If the signature of the JWT matches its header and payload, the validation will be successful and the response body contains true
. If the validation fails, the response body contains false
.
Customer-specific Keys for Signature
The AUTHENTICATION service uses a certificate for the signature of the internal JWTs. We recommend to replace our default certificate by a customer-specific key. To configure the usage of a customer-specific key (openssl
is required), follow these steps:
Create a container with public and private key. The string
jwt-signing-secret
is used as alias and as file name for the container. It can optionally be replaced.openssl genrsa -out jwt-signing-secret-key.pem openssl req -new -x509 -days 3650 -key jwt-signing-secret-key.pem -out jwt-signing-secret-cert.pem -subj /C=DE/ST=DE-DE/L=jwt-signing-secret/CN=jwt-signing-secret openssl pkcs12 -export -nodes -name jwt-signing-secret -inkey jwt-signing-secret-key.pem -in jwt-signing-secret-cert.pem -out jwt-signing-secret.p12
- The files
jwt-signing-secret-key.pem
andjwt-signing-secret-cert.pem
can be deleted. - Import the container file
jwt-signing-secret.p12
as a Kubernetes secret in theyuuvis
namespace. - Add the secret at any place in the file system of the
authentication
pod.
Note: After delivery, the container file is located at/yuuvis/jwt-signing-secret.p12
and can be replaced. Add the following code block left aligned in the profile authentication-prod.yml and adjust the configuration according to the container file.
Addition to authentication-prod.ymljwt.signing.keyStoreFile: '/yuuvis/jwt-signing-key.p12' jwt.signing.keyStoreType: 'pkcs12' jwt.signing.keyStorePassword: 'changeme' jwt.signing.keyAlias: 'jwt-signing-key' jwt.signing.keyPassword: 'changeme'
- Restart the
authentication
pod.
Summary
Validate the internal JSON Web Token (JWT) by exposing the internal endpoint /authentication/jwt/verify
of the AUTHENTICATION service. For the JWT generation, replace our default certificate by a customer-specific key.