Team, We need to perform JWT Oauth Token validation for all ingress activities in aks. Nginx support this feature through location / { proxy_pass: } Or annotations: nginx.ingress.kubernetes.io/auth-url: Does Application Gateway Ingress Controller(standard v2 sku) supports this functionality.

Hi @Tanul I got a response from the product team that "OAuth is not currently supported on AppGW, but is on their roadmap. Until they support it on AppGW, they won't have support for it on AGIC. They will be updating the GitHub thread once it's available on AppGW. There is a feature request open here: https://github.com/Azure/application-gateway-kubernetes-ingress/issues/860 However, I did find an article which talks about using api management service like APIM or a service mesh solution with AGIC to achieve it. https://medium.com/@jw_ng/using-azure-application-gateway-with-api-management-service-f9b9b2cd1731 You can use the validate-jwt policy in APIM and this feature is available on Consumption tier. ---------- Please 'Accept' as answer if it helped, so that it can help others looking for same information get to this answer faster.

Does AGIC support JWT validation?

Accepted answer

KarishmaTiwari-MSFT 18,642 Reputation points Microsoft Employee

2020-09-24T02:34:11.887+00:00

Hi @Tanul

I got a response from the product team that "OAuth is not currently supported on AppGW, but is on their roadmap. Until they support it on AppGW, they won't have support for it on AGIC. They will be updating the GitHub thread once it's available on AppGW.

There is a feature request open here: https://github.com/Azure/application-gateway-kubernetes-ingress/issues/860

However, I did find an article which talks about using api management service like APIM or a service mesh solution with AGIC to achieve it.
https://medium.com/@jw_ng/using-azure-application-gateway-with-api-management-service-f9b9b2cd1731

You can use the validate-jwt policy in APIM and this feature is available on Consumption tier.

----------

Please 'Accept' as answer if it helped, so that it can help others looking for same information get to this answer faster.
Please sign in to rate this answer.
Tanul 1,251 Reputation points

2020-09-25T05:11:29.767+00:00

@KarishmaTiwari-MSFT , Hey Karishma, thanks for sharing. Does consumption base sku can help with these functionalities.

KarishmaTiwari-MSFT 18,642 Reputation points Microsoft Employee

2020-09-25T15:51:52.387+00:00

@Tanul I got a response from the product team that "OAuth is not currently supported on AppGW, but is on their roadmap. Until we support it on AppGW, we won't have support for it on AGIC. They will be updating the GitHub thread once it's available on AppGW.

Tanul 1,251 Reputation points

2020-09-25T19:12:27.197+00:00

@KarishmaTiwari-MSFT , actually I have checked that APIM and it supports jwt validation. My question is does consumption sku of APIM support jwt or not.

KarishmaTiwari-MSFT 18,642 Reputation points Microsoft Employee

2020-09-25T19:17:53.393+00:00

Let me connect with the APIM team to confirm on that.

KarishmaTiwari-MSFT 18,642 Reputation points Microsoft Employee

2020-09-26T01:35:40.383+00:00

@Tanul Got the confirmation. Yes, you can use the validate-jwt policy and this feature is available on Consumption tier of APIM.

Refer to the doc here: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT
I updated in the main answer as well.

Tanul 1,251 Reputation points

2020-09-26T13:37:48.037+00:00

@KarishmaTiwari-MSFT , Thanks a lot for such an awesome help. I’ll check the way to build this ecosystem.

If I’m unable to setup it or super stuck somewhere then I’ll tag you the query. I hope you don’t mind. 😊

Happy weekend. Tk cr

Tanul 1,251 Reputation points

2020-09-27T06:45:35.847+00:00

@KarishmaTiwari-MSFT , Hey karishma, sorry for disturbing on weekend. I was checking this link:
api-management-kubernetes
but have few queries

As per option 2, there is a concept of mutual TLS exist. It means we can add certificate in APIM as well right?

As per option 3, everything can be in common VNET. Does this mean, we can create totally private AKS rather than public one? In addition, APIM should be private as well.

As per option 2, the disadvantage is ingress controller end point exposed to public. But if I create a private aks cluster with public APIM then isn’t it cancel this disadvantage. I can add an internal load balancer(basic sku, because its free) between both of them. In this way, I can use the the consumption sku of APIM because only premium one allow to merge APIM and AKS into same VNET which is out of my budget.

Could you please help. Thank you.

Tanul 1,251 Reputation points

2020-09-29T08:26:39.943+00:00

@KarishmaTiwari-MSFT , hey 😊
Just wanted to send this as a gentle reminder if you got a chance to look at my query.

Please let me know if any further details needed from my side.

Thanks for all your help on this.

KarishmaTiwari-MSFT 18,642 Reputation points Microsoft Employee

2020-09-30T15:59:38.477+00:00

@Tanul Sorry for the delay on this. Since your query above (api-management-kubernetes)is related to APIM and we have experts on APIM who can help you directly if you open a new post here and tag the post with 'azure-api-management'. Feel free to post the url of the post here, I will also follow the post and ensure you get the help needed.

Tanul 1,251 Reputation points

2020-10-01T10:36:29.813+00:00

@KarishmaTiwari-MSFT , No problem at all. Will post it over there. Thanks a lot for sharing. :)
Sign in to comment

Share via

Does AGIC support JWT validation?

0 additional answers