Unlock the Potential of Data APIs with Strong Authentication and Traefik Enterprise
When it comes to enterprise IT infrastructure, security is of paramount importance. Between the need for data protection and privacy, regulatory requirements, and the constant threat of bad actors on the network, there is little room for error when designing and maintaining enterprise systems.
Because of this, strong authentication is a critical component of any IT modernization project. One of the top goals for enterprises today is to open up the data held within legacy systems and expose it through APIs, microservices, and other modern means. And yet, while this data represents untapped business value, it’s essential to only expose it in controlled ways by using authentication to ensure each request’s validity.
Traefik can help. As a modern, cloud native edge router, Traefik Proxy directs valid requests from the external network to applications and services, while minimizing the risk posed by malformed, malicious, or fraudulent requests. One way it can do this is by acting as an intermediary to ensure that transactions are authorized. What’s more, Traefik Enterprise bundles additional, exclusive features to provide enterprise-grade authentication — including support for OpenID Connect (OIDC).
Who goes there?
One of Traefik’s key concepts is its use of middlewares, which are pluggable components that provide conditional controls over network traffic. These controls can take various forms, including enabling security features such as rate limiting, restricting requests by IP address, and authentication.
Traefik Enterprise's authentication middlewares work by referencing external authentication sources. Traefik Enterprise can act as a gatekeeper at the edge of the internal network by intercepting incoming requests and authenticating them against the external source before forwarding them to the appropriate applications.
This model can be particularly critical for legacy modernization projects because it allows authentication to occur externally to the application. You can add modern authentication methods to legacy applications to satisfy the latest security requirements, without making any direct modifications to legacy code.
But this model is not only beneficial for modernizing legacy applications. The benefits of standardizing authentication and authorization at the API gateway level apply equally to cloud native and legacy projects. Those benefits include reducing/eliminating duplication of effort, promoting compliance with security standards, and freeing up developers to work directly on the end applications instead of security features.
Enterprise options
Traefik Enterprise offers several middlewares for enterprise authentication, and the collection continues to grow. Among the methods that Traefik Enterprise supports are:
JSON web tokens (JWT)
JWT is a popular tool used to authenticate API calls and single sign-on (SSO) applications. It’s a method of digitally signing information as a JSON object. The JWT includes a set of claims, which typically describe the things that an authenticated user is allowed to do. The Traefik Enterprise JWT middleware can be added to routers in the dynamic configuration and verifies that a token is provided in the Authorization
header. In case the token can't be passed as an Authorization
header, you can also add it as form data or as a query parameter.
OpenID Connect (OIDC)
Traefik Enterprise also includes support for OIDC, an authentication layer built on top of the OAuth 2.0 protocol. OpenID Connect allows an application to obtain user login information by exchanging cryptographic tokens with an identity provider and is often used to implement federated SSO between multiple applications. With the OIDC Authentication middleware, you can secure your applications by delegating the authentication process to an external provider (e.g. Google Accounts, LinkedIn, GitHub, etc.) and obtaining the end user's session claims and scopes for authorization purposes.
Lightweight Directory Access Protocol (LDAP)
To verify user credentials (i.e. usernames and passwords) LDAP connects with a directory service that uses the LDAP protocol. The Traefik Enterprise LDAP middleware connects to an LDAP server to verify said credentials and was designed to avoid having sensitive information — such as LDAP credentials specified as labels (or in CRDs) by applications — and to allow multiple middlewares to reuse the same authentication method.
oAuth2
OAuth2 is an open standard dealing with resource access control and is the latest version of the authorization protocol OAuth. An OAuth client provides web, desktop, and mobile application authorization flows. Traefik Enterprise comes with two oAuth2 middlewares:
- OAuth 2.0 Token Introspection Authentication Middleware: Retrieving metadata about an access token from an oAuth2 server which can be used to restrict access to applications.
- OAuth 2.0 Client Credentials Authentication Middleware: Securing routes using the OAuth2 Client Credentials flow described in RFC 6749.
Open Policy Agent (OPA)
OPA is an open source policy engine. By providing a high-level declarative language, OPA helps unify the processes of policy enforcement across the networking stack. OPA allows you to specify policy-as-code and APIs you can use to offload policy decision-making and, among others, it works in microservices, Kubernetes, CI/CD pipelines, and API gateways. With the Traefik Enterprise Open Policy Agent middleware, you can restrict access to your services and enrich request headers with data extracted from policies.
Hash-based Message Authentication Codes (HMAC)
HMAC is a method of using cryptographic hash functions with a shared secret (also known as a symmetric key) to ensure the content delivered in an HTTP request is valid and genuine. Like digital signatures, HMAC can verify a message sender’s identity and that the message’s content is unaltered from the moment of the HMAC’s creation. The technique can be used to secure file transfers, API calls, and other machine-to-machine interactions. This HMAC middleware uses the content of an HTTP request and a shared secret to validate a digital signature computed. The HTTP request and the shared secret are sent to the proxy using the Authorization
or Proxy-Authorization
header, ensuring the identity of the sender and the integrity of the request.
Authentication the easy way
The best thing about implementing enterprise authentication using Traefik Enterprise, however, is how easy it is to do. Enabling any of the authentication middleware mentioned here is generally as simple as adding a few lines to your Traefik configuration to supply the necessary connection details, creating a middleware that points to your authentication source, and attaching that middleware to desired routers.
The authentication options available in Traefik Enterprise today offer a powerful range of options for exposing enterprise applications and data securely, without requiring extensive and risky legacy code changes. You can expect other such features to be included over time, as we continue our commitment to ensure Traefik Enterprise is a premier tool for enterprise application networking. To learn more about how Traefik and Traefik Enterprise can help you lock down enterprise data with secure authentication, watch our recent webinar, “Enterprise best practices to expose and secure microservices and APIs”. In this webinar, we discuss deploying OAuth and OpenID Connect with Okta to secure user logins, and we walk you through enabling mutual TLS (mTLS) for secure machine-to-machine communications.