API Security with OAuth2.0 using JWT Tokens

34 Launches
Solution Overview

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible." It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.

OpenID Connect lets developers authenticate their users across websites and apps without having to own and manage password files. For the app builder, it provides a secure verifiable, answer to the question: “What is the identity of the person currently using the browser or native app that is connected to me?”

In this lab, we'll demonstrate how NGINX Controller API Management Module and NGINX App Protect can secure the OAuth Authorization Code flow, which is core to Open Banking specifications. The deployment and configuration of these elements will be performed automatically through a CI/CD pipeline.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers and session management, when it makes sense for them.

Goals & Objectives

The lab consists of one module as described below.

Module 1

In this module, the NGINX App Protect will be deployed as an Ingress Controller for Kubernetes and will provide both negative and positive security by ingesting the OpenAPI declaration file. The NGINX API Gateway will be controlled by NGINX Controller, will publish the application API based on the same OpenAPI declaration file, will provide JWT authentication and authorization and enforce rate limiting. The deployment and configuration of these elements will be performed automatically through a CI/CD pipeline. After the pipeline is deployed, the lab user can access the application, submit a transfer request and authenticate via the OAuth 2.0 protocol.

Hardware & Software

  • 1 x Windows Jump host (Win Server 2012 R2) with vscode installed
  • 1 x CICD and Docker(NGINX API gw, Dev Portal)  (Ubuntu 16.04)
  • 3 x Kubernetes cluster Nodes (Ubuntu 16.04) VM's
  • 1 x NGINX Controller 3.9 (CentOS 7)
  • 2 x BIG-IP v
  • 1 x ELK Stack (Ubuntu 18.04)
  • 1 x GitLab CE server (Ubuntu 14.04)
  • 1 x Vyos Router (Ubuntu 18.04)