Skip to content

Authentication and Authorization

Overview

This document outlines the authentication and authorization mechanisms implemented in our system. It covers the token-based security mechanism using an Envoy filter, integration with Keycloak for identity and access management, and the application of Role-based Access Control (RBAC) for fine-grained permissions.

Token-based Security Mechanism

The system employs a robust token-based security mechanism integrated within the Istio service mesh. This approach ensures that only authenticated and authorized requests can access protected services.

Implementation Details

  • Envoy Filter: A custom HTTP filter deployed as a sidecar container alongside the service it secures. It performs the following functions:
  • Request Interception: All incoming requests are intercepted for validation.
  • Token Validation: Validates the JWT token's signature and checks the token ID against a revocation list stored in a PostgreSQL database.
  • Caching: To improve performance and reduce database queries, caching is used for the token's revocation status and the public key for signature verification.

Verification Process

  1. Extract Token: The token is extracted from the request header.
  2. Validate Structure and Signature: Checks if the token structure is valid and verifies the signature.
  3. Check Expiration: Ensures the token has not expired.
  4. Verify Claims: Verifies the issuer and audience claims.
  5. Revocation List Check: Checks the token ID against a revocation list.

Keycloak Integration

Keycloak serves as the central identity and access management system, offering features like OAuth 2.0, OpenID Connect support, and multi-factor authentication.

Integration Steps

  1. Realm Configuration: Set up a Keycloak realm specific to the API.
  2. Client Application Setup: Register the client application in Keycloak.
  3. Roles and Permissions: Define roles and permissions for access control.
  4. Token Configuration: Configure token settings, including lifespan and signature algorithm.
  5. Library Integration: Integrate Keycloak libraries with the Envoy filter for seamless authentication and authorization.

Access Control

Role-based Access Control (RBAC) is implemented to provide fine-grained access control to API endpoints. This section could be expanded with examples of role definitions and how they are applied to endpoints.

Best Practices

  • Regularly Update Roles: Ensure roles and permissions are regularly reviewed and updated to reflect changes in access requirements.

Common Issues and Troubleshooting

  • Token Validation Failure: Ensure the token has not expired and the signature matches the public key.
  • Access Denied: Verify the user's roles and permissions align with the requested resource's access control policies.
  • Performance Issues: Check the caching mechanism for token validation and revocation status to ensure it is functioning correctly.