Validating Internal JSON Web Tokens

Configure the validation of the internal JSON Web Token that is used to authorize an API call reaching the individual services in the yuuvis® Momentum cluster.

Table of Contents

Introduction

In order to prevent unauthorized access from outside by faking the JWT, its signature can be used for an additional validation of the caller's authorization. As of version 2022 Spring, the expiration date is validated as well. Thus, it is not possible to authenticate with a token anymore if its expiration date is exceeded. The validation is provided by the internal endpoint /authentication/jwt/verify of the AUTHENTICATION Service. In order to activate the validation, the endpoint has to be exposed manually.

Configuration and Usage of Validation

Expose the internal endpoint /jwt/verify/** in the profile authentication-prod.yml.

authentication-prod.yml
- endpoints: /jwt/verify/**
  expose: true

Restart the authentication pod.

The endpoint can now be called with the JWT in the authorization header:

curl --header 'Authorization: Bearer eyJraWQiOiJqd3Qtc2ln...' http://authentication/jwt/verify

If the signature of the JWT matches its header and payload, and the expiration date is not exceeded, the validation will be successful and the response body contains true. If the validation fails, the response body contains false.

Customer-specific Keys for Signature

The AUTHENTICATION service uses a certificate for the signature of the internal JWTs. We recommend to replace our default certificate by a customer-specific key. To configure the usage of a customer-specific key (openssl is required), follow these steps:

  • Create a container with public and private key. The string jwt-signing-secret is used as alias and as file name for the container. It can optionally be replaced.

    openssl genrsa -out jwt-signing-secret-key.pem
    openssl req -new -x509 -days 3650 -key jwt-signing-secret-key.pem -out jwt-signing-secret-cert.pem -subj /C=DE/ST=DE-DE/L=jwt-signing-secret/CN=jwt-signing-secret
    openssl pkcs12 -export -nodes -name jwt-signing-secret -inkey jwt-signing-secret-key.pem -in jwt-signing-secret-cert.pem -out jwt-signing-secret.p12
  • The files jwt-signing-secret-key.pem and jwt-signing-secret-cert.pem can be deleted.
  • Import the container file jwt-signing-secret.p12 as a Kubernetes secret in the yuuvis namespace.
  • Add the secret at any place in the file system of the authentication pod.
    Note: After delivery, the container file is located at /yuuvis/jwt-signing-secret.p12 and can be replaced.
  • Add the following code block left aligned in the profile authentication-prod.yml and adjust the configuration according to the container file.

    Addition to authentication-prod.yml
    jwt.signing.keyStoreFile: '/yuuvis/jwt-signing-key.p12'
    jwt.signing.keyStoreType: 'pkcs12'
    jwt.signing.keyStorePassword: 'changeme'
    jwt.signing.keyAlias: 'jwt-signing-key'
    jwt.signing.keyPassword: 'changeme'
  • Restart the authentication pod.

Summary

Validate the internal JSON Web Token (JWT) by exposing the internal endpoint /authentication/jwt/verify of the AUTHENTICATION service. For the JWT generation, replace our default certificate by a customer-specific key.

Read on

Installation Guide

Instructions for the installation of a yuuvis® Momentum system operating in a Kubernetes cluster via Helm Charts. Start with Helm charts for testing purposes and replace default third-party software according to your preferences. Keep reading

Access Authorization and Permissions

A yuuvis® Momentum user has to be authorized to the functionality of the system by assigning roles. For the individual roles, permissions can be set to allow actions on objects restricted by defined conditions where appropriate and the usage of specific endpoints can be controlled. Keep reading

Authentication against the Core API

This article details the authentication methods compatible with the yuuvis® Core API and how to choose the correct one for your use case. Keep reading