The design is minimal and incomplete on purpose, so is the code too. Things would evolve around discussions, requirements changes, issues, etc.
This project contains is a proxy for granting access to a micro-service via JWT token authentication.
- It is intended to be deployed as a sidecar POD on Kubernetes as the facing SERVICE of a micro-service app. However, there's no dependency against Kubernetes.
- Java packages are organized around the Entity-Control-Boundary pattern.
The "Client/UI" authenticates the user against an IDP (Identity Provider-Oauth2) and then request data from a micro-service. Some "known urls" of the micro-service are to be protected from malicious access via JWT token authentication.
The public facing Kubernetes "Service" of the micro-service would be connected to the sidecar (instead of the micro-service container itself).
- The configuration is to be specified in a Kubernetes "DEPLOYMENT" YAML descriptor.
- The sidecar runs within an embedded Jetty server. It initializes its configuration from environment variables injected in a Kubernetes "DEPLOYMENT".
No authentication is performed against public URIs:
- If the URI is protected, the request must contain a valid JWT token with expected claims.
- Once the claims are extracted, user data is injected in the request and forwarded to the proxied micro-service.
Embedded Jetty as app server, Nimbuds JOSE+JWT for JWT matters, Mitre Proxy servlet
Hamcrest, Junit and JMockit
The business logic is just driven by a servlet filter that relies on a "public URIs container" and a JWT authentication service. Additional sub-components and abstractions are left to the discretion of the implementer.
Please find below the core classes.
