Authentication with Openid Connect and Okta

Due to unsecure credentials storage of the application it has been decided to migrate to Okta which will provide user management and authentication without the need to store localy personal information.

  1. Redeploy the front and microservice to a new version in order to use Openid.
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: arcadia-frontend
spec:
  replicas: 2
  selector:
    matchLabels:
      app: arcadia-frontend
  template:
    metadata:
      labels:
        app: arcadia-frontend
    spec:
      containers:
        - name: arcadia-frontend
          image: sorinboiaf5/arcadia-frontend:oktav0.1
          imagePullPolicy: Always
          ports:
            - containerPort: 80
EOF
  1. Next we need to configure our Ingress controller to validate each request based on the JWT token and if valid add a custom header which indicates to the application the user.
cat << EOF | kubectl apply -f -
# Nginx Policy which will be be used in the Virtual Server to perform the JWT validation
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: jwt-policy
spec:
  jwt:
    realm: apis
    jwksURI: https://dev-4525016.okta.com/oauth2/v1/keys
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: arcadia
spec:
  host: $nginx_ingress  
  tls:
    secret: arcadia-wildcard # Represents the server certificate
    redirect:
      enable: true # Always redirect to https if incoming request is http
  upstreams:
    - name: arcadia-users
      service: arcadia-users
      port: 80
      healthCheck: # This is the most basic healthcheck config for more info follow this link https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#upstream-healthcheck
        enable: true
        path: /healthz
    - name: arcadia-login
      service: arcadia-login
      port: 80
      healthCheck:
        enable: true
        path: /healthz
    - name: arcadia-stocks
      service: arcadia-stocks
      port: 80
      healthCheck:
        enable: true
        path: /healthz
    - name: arcadia-stock-transaction
      service: arcadia-stock-transaction
      port: 80
      healthCheck: 
        enable: true
        path: /healthz
    - name: arcadia-frontend
      service: arcadia-frontend
      port: 80
      healthCheck:
        enable: true
        path: /healthz
  routes:
    - path: /v1/user      
# These directives attach the JWT policy to the route that needs authentication extract the username/email address and add it as a header 
      policies:
      - name: jwt-policy
      action:
        proxy:
          upstream: arcadia-users
          requestHeaders:
            set:
            - name: okta-user
              value: \${jwt_claim_email}
    - path: /v1/login      
      action:
        pass: arcadia-login
    - path: /v1/stock      
      action:
        pass: arcadia-stocks
    - path: /v1/stockt      
      policies:
      - name: jwt-policy
      action:
        proxy:
          upstream: arcadia-stock-transaction
          requestHeaders:
            set:
            - name: okta-user
              value: \${jwt_claim_email}
    - path: /      
      action:
        pass: arcadia-frontend
EOF
  1. Next we need to register the application end points to the Openid Connect provider
curl https://okta.vltr.nginx-experience.com/okta-update?domain=$nginx_ingress
  1. Logout of the Arcadia Crypto application, clear your cache or open the browser in incognito and login with the credentials bellow. The authentication will be done by Okta.

Username: satoshi@bitcoin.com
Password: 1qaz!@#$