This is a proof of concept implementation of using Open Policy Agent for microservices authorization in API Gateway (Traefik).
Detailed description of our use-case and implementation is available in our blog - https://blog.appsecco.com/microservices-authorization-using-open-policy-agent-and-traefik-api-gateway-ae30f3bf2846
Authentication and authorization in a microservices environment is non-trivial. This becomes especially true when identity and authorization controls are distributed across different applications.
In this proof of concept scenario, we want to demonstrate using the API Gateway pattern for centralised enforcement of authorisation rules.
To do this, we use following components
- Traefik (API Gateway)
- Open Policy Agent (AuthZ policy management and evaluation)
- Middleware (custom) for connecting Traefik with Open Policy Agent
docker-compose upRequest api-1 without authorization
curl http://localhost:9000/api-1/Generate a JWT for AuthZ
export TOKEN=`ruby -rjwt -e 'print JWT.encode({"roles":["api-1-users"]}, nil, "none")'`Request api-1 with the token
curl -H "Authorization: $TOKEN" http://localhost:9000/api-1/Try requesting api-2 with the same token
curl -H "Authorization: $TOKEN" http://localhost:9000/api-2/
NOTE: The JWT generated above is for testing purpose only and does not include any cryptographic signing. This is NOT suitable for real-life use as the token can be easily forged and authorization rules bypassed. Ensure JWT tokens are always signed and verifiable.
- Traefik is used as the API Gateway
- Check configuration in
traefik/traefik.ymlandtraefik/dynamic.yml
- Check configuration in
- Open Policy Agent is used for centralized authorization policy evaluation
- Check
opa/policy.rego
- Check
- 3 backend service is implemented
/is public/api-1is available to any user withrole=api-1-users/api-2is available to any user withrole=api-2-users