This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee envoy adapter with HS512

Posted on 10-07-2021 12:47 AM
dsh
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello,

 

I've followed following example on how to configure envoy-adapter with Apigee.

 

https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/example-hybrid#prerequisites

 

In this example RS256 is being used to generate JWT. How can I change it to use HS512?

 

Thanks in advance.

1 3 219
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
luwei_ge
Staff
Reply posted on --/--/---- --:-- AM

In the currently released versions of envoy adapter, the JWT validation is performed by the Envoy's jwt_authn filter, which certainly supports HS512.

However, using symmetric encryption means you probably don't want to make the jwks endpoint publicly available. If your Envoy is in a secure environment, I imagine you could supply the key directly to it. The following is some stetch.

# evaluate JWT tokens, allow_missing allows API Key also
- name: envoy.filters.http.jwt_authn
  typed_config:
  "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      apigee:
      issuer: issuer
      audiences:
        - audience
      remote_jwks: # replace this with local_jwks with embedded string or so.

 

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter

Posted on --/--/---- --:-- AM
dsh
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

@luwei_ge ,

Thank you. 

Excuse my ignorance. I am new to apigee and everything is new at the moment.

Apigee is on-premise.

So far I followed an example in original post, and testing in httpbin sample. Sample has generated following yamls and I have deployed in my Kubernetes.

  • apigee-envoy-adapter.yaml
  • envoyfilter-sidecar.yaml
  • httpbin.yaml
  • request-authentication.yaml

 

Also the example has created some API proxies in apigee. Do I need to make change in Apigee?

 

i.e remote-service has following

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT async="false" continueOnError="false" enabled="true" name="Generate-VerifyKey-Token">
    <DisplayName>Generate VerifyKey Token</DisplayName>
    <Algorithm>RS256</Algorithm>
    <PrivateKey>-->
        <Value ref="private.private_key"/>-->
        <Id ref="private.kid"/>-->
    </PrivateKey>-->
    <Issuer ref="iss"/>
    <Audience>remote-service-client</Audience>
    <ExpiresIn>15m</ExpiresIn>
    <NotBefore ref="nbf"/>
    <AdditionalClaims>
        <Claim name="client_id" ref="apikey"/>
        <Claim name="api_product_list" ref="apiProductList" type="string" array="true"/>
        <Claim name="application_name" ref="appName"/>
        <Claim name="developer_email" ref="AccessEntity.ChildNodes.Access-Developer-Info.Developer.Email"/>
    </AdditionalClaims>
    <OutputVariable>jwtmessage</OutputVariable>
</GenerateJWT>

 

Do I need to change that algorithm to HS512?

0 Likes

Posted on --/--/---- --:-- AM
luwei_ge
Staff
In response to dsh
Reply posted on --/--/---- --:-- AM

Sorry for the late response.

No you shouldn't modify this policy, which is used internal for the communication between envoy adapter and Apigee.

Is there any specific reason that you need to use HS512? If so, you will need to configure your own endpoint to supply the key for encryption/decryption. To clarify, the entire token validation process happens at Envoy (i.e. the Istio sidecar in your use case), and envoy adapter will simply receive and process decoded claims. In other words, nothing needs to be changed on Apigee side. You will need to configure the Istio sidecar to be able to take the private key to validate the token, and I am afraid I don't have much expertise to guide you there.

Top Solution Authors
View all