Any possible way to capture client user id at ingress?

Tanul 1,251 Reputation points


If I host any .net core based api within aks having ingress-nginx then is there any way to get the user id of the client. I cannot ask client to add a custom header with its value as its username as in that case s/he will be aware of the security pattern in use.

In azure pack it is possible to enable windows authentication and get the client side username. But is there any possible way to manage this kubernetes.

I have also explored adding ntlm authorization header in the request but for that client has to use there username and password to create the header which is not possible because here the call is service to service. Client can only double click and run the software after login the machine but keeping password is a compliance.

Please help.

Thank you

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,852 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,416 questions
{count} votes

1 answer

Sort by: Most helpful
  1. prmanhas-MSFT 17,886 Reputation points Microsoft Employee

    @Tanul Posting as answer as well for community visibility.

    As per discussion all of them state this is something which can be done on application side depending upon the application capability and has not much to do with Azure.

    Without more information and/or clarity around their architecture, use-case and exact requirement, there's much that we can recommend.

    Apart from this some more information I got is as below:

    There are one piece missing in this ask:

    • What’s the authentication mechanism/framework used in the .Net core application. After reviewing this page I assume .Net core uses JWT Bearer token, which seems to be the default.

    Maybe you want to try parse JWT payload and extract the username? After reviewing this and this I’m pretty sure it’s possible to parse JWT in Nginx, and since we have server_snippet we can add those to the Nginx configuration somehow.

    Hope it’s a good direction for you.

    Please "Accept as Answer" so it can help others in community looking for help on similar topics.