Unlock the potential of data APIs with strong authentication & Traefik

When it comes to enterprise IT infrastructure, security is of paramount importance. Between the need for data protection and privacy, regulatory requirements, and the constant threat of bad actors on the network, there is little room for error when designing and maintaining enterprise systems.

Because of this, strong authentication is a critical component of any IT modernization project. One of the top goals for enterprises today is to open up the data held within legacy systems and expose it through APIs, microservices, and other modern means. And yet, while this data represents untapped business value, it’s essential to only expose it in controlled ways by using authentication to ensure each request’s validity.

Traefik can help. As a modern, cloud-native edge router, Traefik’s goal is to direct valid requests from the external network to applications and services, while minimizing the risk posed by malformed, malicious, or fraudulent requests. One way it can do this is by acting as an intermediary to ensure that transactions are authorized. What’s more, Traefik Enterprise (TraefikEE) bundles additional, exclusive features to provide enterprise-grade authentication – including, most recently, support for OpenID Connect.

Who goes there?

One of Traefik’s key concepts is its use of middlewares, which are pluggable components that provide conditional controls over network traffic. These controls can take various forms, including enabling security features such as rate limiting, restricting requests by IP address, and authentication.

TraefikEE’s enterprise authentication middlewares work by referencing external authentication sources. For example, the LDAP middleware connects to an LDAP server to verify credentials. In this way, Traefik can act as a gatekeeper at the edge of the internal network by intercepting incoming requests and authenticating them against the external source before forwarding them to the appropriate applications.

This model can be particularly critical for legacy modernization projects because it allows authentication to occur externally to the application. One benefit of this is that it makes it possible to add modern authentication methods to legacy applications to satisfy the latest security requirements, without making any direct modifications to legacy code.

Enterprise options

In addition to LDAP, Traefik Enterprise offers several other middlewares for enterprise authentication, and the collection continues to grow. Among the methods that TraefikEE supports are:

HMAC

Hash-based message authentication codes (HMAC) is a method of using cryptographic hash functions with a shared secret (also known as a symmetric key) to ensure the content delivered in an HTTP request is valid and genuine. Like digital signatures, HMAC can verify a message sender’s identity and that the message’s content is unaltered from the moment of the HMAC’s  creation. The technique can be used to secure file transfers, API calls, and other machine-to-machine interactions.

JWT

JSON web tokens (JWT) is another popular tool used to authenticate API calls and SSO applications. It’s a method of digitally signing information as a JSON object. The JWT includes a set of “claims,” which typically describe the things that an authenticated user is allowed to do. TraefikEE”s JWT middleware also includes support for JSON web key sets.

OpenID Connect

TraefikEE also includes support for OpenID Connect, an authentication layer built on top of the OAuth 2.0 protocol. OpenID Connect allows an application to obtain user login information by exchanging cryptographic tokens with an identity provider, and is often used to implement federated single sign-on (SSO) between multiple applications.

OpenID Connect has become a popular option for enterprises because it allows operators to self-host their on-premises identity provider or choose from a growing number of third-party options. Okta, for example, is a cloud-hosted enterprise identity platform that supports authentication via OpenID Connect. Several public options are also available, allowing users to authenticate based on their logins for services such as Google and Paypal.If full authentication isn’t needed, TraefikEE also supplies a middleware for verifying the authorization of requests via the OAuth 2.0 token introspection method.

Authentication the easy way

The best thing about implementing enterprise authentication using TraefikEE, however, is how easy it is to do. Enabling any of the authentication middleware mentioned here is generally as simple as adding a few lines to your Traefik configuration to supply the necessary credentials and point the middleware to your authentication source.

The authentication options available in TraefikEE today offer a powerful range of options for exposing enterprise applications and data securely, without requiring extensive and risky legacy code changes. You can expect other such features to be included over time, as we continue our commitment to ensure TraefikEE is a premier tool for enterprise application networking.To learn more about how Traefik and Traefik Enterprise can help you lock down enterprise data with secure authentication, join us for a special webinar on Thursday, September 10. We’ll discuss deploying OAuth and OpenID Connect with Okta to secure user logins, and we’ll also walk through enabling mutual TLS (mTLS) for secure machine-to-machine communications.


This is a companion discussion topic for the original entry at https://traefik.io/blog/unlock-the-potential-of-data-apis-with-strong-authentication-and-traefik-enterprise/

That is timely, I was investigating that (Okta + OIDC) yesterday. :smiley: