I currently secure my API (running on k8s) with an oauth2-proxy which then redirects requests to the API.

As the scope of content (on API-level) should vary based on subgroups, these groups should be authorized only for their entitled scope. The Access Token provides the required subgroups affiliations but I cannot bridge the gap between the proxy handling the authentication and the API doing the authorization. I also just want to use a single API and oauth2 infrastructure.

Is it possible to pass the Access Token to the downstream API? What are best practices for this pattern?

Can someone point me in the right direction? Cheers

CodePudding user response：

Yes, that's possible: See the --pass-access-token and --set-xauthrequest options in oauth2-proxy.

E.g., I use this in oauth2-proxy.cfg

    # Get JWT in x-auth-request-access-token
    pass_access_token = true
    set_xauthrequest = true

combined with this in the nginx ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-access-token # This holds the JWT (without 'Bearer ')
    nginx.ingress.kubernetes.io/auth-signin: http://dev.k8s.ese-ia/oauth2-proxy/start # external URL!
    nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.ese-ia.svc.cluster.local/oauth2-proxy/auth # internal service URL – must be fqdn to be reachable from the ingress!

Note that the header name is not Authorization and that there is no Bearer prefix in the value. So the services using it might have to be changed. E.g, if you use Spring Boot, you will have to set a custom BearerTokenResolver.

(Bonus: If you use an AWS ELB with OIDC authentication instead of oauth2-proxy and an nginx ingress, the system is basically the same. Only the header name is different.)