github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Backport of docs: minor fixes to JWT auth docs into release/1.16.x (#17681) 

* no-op commit due to failed cherry-picking

* docs: minor fixes to JWT auth docs (#17680)

* Fixes

* service intentions fixes

---------

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
pull/17685/head
hc-github-team-consul-core 2023-06-12 18:51:41 -04:00 committed by GitHub
parent 22041d7539
commit 7ea48caf81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 196 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
website/content/docs/connect/config-entries/jwt-provider.mdx
View File

@ -101,50 +101,54 @@ When every field is defined, a JWT provider configuration entry has the followin
Kind = "jwt-provider" # required Kind = "jwt-provider" # required
Name = "<name-of-provider-configuration-entry>" # required Name = "<name-of-provider-configuration-entry>" # required
Issuer = "<jwt-issuer>" # required Issuer = "<jwt-issuer>" # required
JWKS = { # required JSONWebKeySet = { # required
Local = { # cannot specify with JWKS{}.Remote Local = { # cannot specify with JWKS{}.Remote
String = "<JWKS-formatted-as-string>" # cannot specify with JWKS{}.Remote{}.Filename JWKS = "<JWKS-as-base64-string>" # cannot specify with JWKS{}.Local{}.Filename
Filename = "<path/to/JWKS/file>" # cannot specify with JWKS{}.Remote{}.String Filename = "<path/to/JWKS/file>" # cannot specify with JWKS{}.Local{}.String
} }
} }
JWKS = { JSONWebKeySet = {
Remote = { # cannot specify with JWKS{}.Local Remote = { # cannot specify with JWKS{}.Local
URI = "<uniform-resource-identifier>" URI = "<uniform-resource-identifier>"
RequestTimeoutMs = 1500 RequestTimeoutMs = 1500
CacheDuration = "5m" CacheDuration = "5m"
FetchAsynchronously = false FetchAsynchronously = false
RetryPolicy = { RetryPolicy = {
NumRetries = 0 NumRetries = 0
} RetryPolicyBackoff = {
} BaseInterval = "1s"
MaxInterval = "10s"
} }
}
}
}
Audiences = ["<aud-claims>"] Audiences = ["<aud-claims>"]
Locations = [ Locations = [
{ {
Header = { Header = {
Name = "<name-of-header-with-token>" Name = "<name-of-header-with-token>"
ValuePrefix = "<prefix-in-header-before-token>" ValuePrefix = "<prefix-in-header-before-token>"
Forward = false Forward = false
}
},
{
QueryParam = {
Name = "<name-of-query-parameter-with-token>"
}
},
{
Cookie = {
Name = "<name-of-cookie-with-token>"
}
} }
},
{
QueryParam = {
Name = "<name-of-query-parameter-with-token>"
}
},
{
Cookie = {
Name = "<name-of-cookie-with-token>"
}
}
] ]
Forwarding = { Forwarding = {
HeaderName = "<name-appended-to-forwarding-header>" HeaderName = "<name-appended-to-forwarding-header>"
PadForwardPayloadHeader = false PadForwardPayloadHeader = false
} }
ClockSkewSeconds = 30 ClockSkewSeconds = 30
CacheConfig = { CacheConfig = {
Size = 0 Size = 0
} }
``` ```
@ -154,54 +158,58 @@ CacheConfig = {
```json ```json
{ {
"Kind": "jwt-provider", // required "Kind": "jwt-provider", // required
"Name": "<name-of-provider-configuration-entry>", // required "Name": "<name-of-provider-configuration-entry>", // required
"Issuer": "<jwt-issuer>", // required "Issuer": "<jwt-issuer>", // required
"JWKS": { // required "JSONWebKeySet": { // required
"Local": { // cannot specify with JWKS.Remote "Local": { // cannot specify with JWKS.Remote
"String": "<JWKS-formatted-as-string>", // cannot specify with JWKS.Local.Filename "JWKS": "<JWKS-as-base64-string>", // cannot specify with JWKS.Local.Filename
"Filename": "<path/to/JWKS/file>" // cannot specify with JWKS.Local.String "Filename": "<path/to/JWKS/file>" // cannot specify with JWKS.Local.String
} }
}, },
"JWKS": { "JSONWebKeySet": {
"Remote": { // cannot specify with JWKS.Local "Remote": { // cannot specify with JWKS.Local
"URI": "<uniform-resource-identifier>", "URI": "<uniform-resource-identifier>",
"RequestTimeoutMs": "1500", "RequestTimeoutMs": "1500",
"CacheDuration": "5m", "CacheDuration": "5m",
"FetchAsynchronously": "false", "FetchAsynchronously": "false",
"RetryPolicy": { "RetryPolicy": {
"NumRetries": "0" "NumRetries": "0",
} "RetryPolicyBackOff": {
"BaseInterval": "1s",
"MaxInterval": "10s"
} }
}, }
"Audiences": ["<aud-claims>"], }
"Locations": [ },
"Audiences": ["<aud-claims>"],
"Locations": [
{ {
"Header": { "Header": {
"Name": "<name-of-header-with-token>", "Name": "<name-of-header-with-token>",
"ValuePrefix": "<prefix-in-header-before-token>", "ValuePrefix": "<prefix-in-header-before-token>",
"Forward": "false" "Forward": "false"
} }
}, },
{ {
"QueryParam": { "QueryParam": {
"Name":"<name-of-query-parameter-with-token>", "Name":"<name-of-query-parameter-with-token>",
} }
}, },
{ {
"Cookie": { "Cookie": {
"Name": "<name-of-cookie-with-token>" "Name": "<name-of-cookie-with-token>"
} }
} }
], ],
"Forwarding": { "Forwarding": {
"HeaderName": "<name-appended-to-forwarding-header>", "HeaderName": "<name-appended-to-forwarding-header>",
"PadForwardPayloadHeader": "false" "PadForwardPayloadHeader": "false"
}, },
"ClockSkewSeconds": "30", "ClockSkewSeconds": "30",
"CacheConfig": { "CacheConfig": {
"Size": "0" "Size": "0"
} }
} }
``` ```
@ -217,12 +225,12 @@ metadata: # required
namespace: <namespace> namespace: <namespace>
spec: # required spec: # required
issuer: <jwt-issuer> issuer: <jwt-issuer>
jwks: jsonWebKeySet:
local: # cannot specify with spec.jwks.remote local: # cannot specify with spec.jsonWebKeySet.remote
string: <jwks-formatted-as-string> # cannot specify with spec.jwks.local.filename jwks: <jwks-as-base64-string> # cannot specify with spec.jsonWebKeySet.local.filename
filename: <path/to/jwks/file> # cannot specify with spec.jwks.local.string filename: <path/to/jwks/file> # cannot specify with spec.jsonWebKeySet.local.string
jwks: jsonWebKeySet:
remote: # cannot specify with spec.jwks.local remote: # cannot specify with spec.jsonWebKeySet.local
uri: <uniform-resource-identifier> uri: <uniform-resource-identifier>
requestTimeoutMs: 1500 requestTimeoutMs: 1500
cacheDuration: 5m cacheDuration: 5m
@ -953,7 +961,7 @@ metadata:
name: okta name: okta
spec: spec:
issuer: okta issuer: okta
jwks: jsonWebKeySet:
remote: remote:
uri: https://dev-850216.okta.com/oauth2/default/v1/keys uri: https://dev-850216.okta.com/oauth2/default/v1/keys
cacheDuration: 30m cacheDuration: 30m

108
website/content/docs/connect/config-entries/service-intentions.mdx
View File

@ -1313,3 +1313,111 @@ When using cluster peering connections, intentions secure your deployments with
``` ```
</CodeTabs> </CodeTabs>
### JWT validation with intentions
The following example configures a service intention that evaluates requests when a service named `backend` receives a request from the `frontend` service. When the request is sent to the `/admin` HTTP path, a JSON Web Token provided by Okta is evaluated. In addition to the validation requirements in a separate JWT provider configuration entry, an additional check occurs to confirm that the token has either a `perms` or `role` claim with the `admin` value. If it does, the request is authorized.
Because the intention allows requests that come from the `/` HTTP path, only requests on the `/admin` path are subject to token validation.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "backend"
Sources = [
{
Name = "frontend"
Permissions = [
{
HTTP = {
PathExact = "/admin"
}
JWT = {
Providers = [
{
Name = "okta"
VerifyClaims = [
{
Path = ["perms", "role"]
Value = "admin"
}
]
}
]
}
},
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: backend
spec:
sources:
name: frontend
permissions:
http:
pathExact: /admin
jwt:
providers:
name: okta
verifyClaims:
path:
- perms
- role
value: admin
action: allow
http:
pathPrefix: /
```
```json
{
"Kind": "service-intentions",
"Name": "backend",
"Sources": [
{
"Name": "frontend",
"Permissions": [
{
"HTTP": {
"PathExact": "/admin"
},
"JWT": {
"Providers": [
{
"Name": "okta",
"VerifyClaims": [
{
"Path": ["perms", "role"],
"Value": "admin"
}
]
}
]
}
},
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/"
}
}
]
}
]
}
```
</CodeTabs>