# Prepare HTTP Bearer Token Authentication

This how-to will explain how a Bearer Token can be requested from an authentication server. This will be required to connect the Service Catalog to the Service Broker.

## Preparations

• Have access to an authentication server that has a JWKS endpoint.

## Inspect the OpenID configuration

 Below are `curl` commands shown. Depending on your configuration, your authentication server can only be reached from your Kubernetes cluster, but not from your personal computer. In these cases you can refer to the commands just below. To run `curl` from your cluster, create an ad-hoc container using `kubectl run`: ``````kubectl run \ --namespace default \ -i --tty --rm \ "curl-$(date +%s)" \ --command /bin/sh \ --image=quay.io/curlimages/curl --`````` Now you get a terminal in which you can then run `curl` commands, for example `curl --version`. If you are more comfortable using `wget`, here’s a solution for that: ``````kubectl run \ --namespace default \ -i --tty --rm \ "busybox-$(date +%s)" \ --image=quay.io/prometheus/busybox --`````` Now you get a terminal in which you can then run `wget` commands, for example `wget --version`.

If you (or your company) use an OpenID compliant authentication server, you should be able to learn about the JWKS URL from the `.well-known/openid-configuration` JSON:

``curl https://auth.corp.internal/.well-known/openid-configuration``

The JSON will look like this:

``````{
"issuer": "auth.corp.internal",
"token_endpoint": "auth.corp.internal/token", (2)
"jwks_uri": "auth.corp.internal/jwks", (1)
"revocation_endpoint": "auth.corp.internal/revoke",
"scopes_supported": ["openid"],
"response_types_supported": [],
"response_modes_supported": [],
"grant_types_supported": ["client_credentials"],
"acr_values_supported": [],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["ES256"],
"token_endpoint_auth_methods_supported": ["client_secret_post"],
"token_endpoint_auth_signing_alg_values_supported": ["ES256"],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"allow_list",
"cluster_id",
"client_id",
"sub"
],
"code_challenge_methods_supported": []
}``````
 1 Look for the `jwks_uri`. It’s the URL we’re interested in. 2 Also note down the `token_endpoint`. We’ll need it later.

## JWK Store

To verify that the Crossplane Service Broker will be able to access this URL, check the response now:

``curl https://auth.corp.internal/jwks``

This should return a JSON like the following:

 The values for `x` and `y` have been shortened in the example below.
``````{
"keys": [
{
"kty": "EC",
"crv": "P-256",
"x": "6ze…",
"y": "O5K…"
}
]
}``````

## Get a Bearer Token

In order to get a Bearer Token, you need to be in the possession of a `client_id` and a `client_secret`. Create these on your authentication server or request them from authorized personnel. Those should allow you to request a token from the authentication server on the `/token` endpoint:

 The `/token` endpoint might be called differently on your server. See the section Inspect the OpenID configuration above and look for the `token_endpoint` URL.
``````curl \
--silent --request POST \
--data "grant_type=client_credentials" \
--data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \
--data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \
"https://auth.corp.internal/token"``````

This usually returns a JSON like this:

``````{
 1 The value-part here is your actual Bearer Token. The quotes (`"`) are just JSON syntax and don’t belong to the token itself.
 Here’s a shortcut to grab the token directly: ``````kubectl run \ --namespace default \ --attach true --rm --quiet \ "curl-$(date +%s)" \ --image=docker.io/curlimages/curl -- \ --silent --request POST \ --data "grant_type=client_credentials" \ --data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \ --data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \ "https://auth.corp.internal/token" \ | jq -r .access_token`````` On macOS, you can also copy the token directly to your clipboard like this: ``````kubectl run \ --namespace default \ --attach true --rm --quiet \ "curl-$(date +%s)" \ --image=docker.io/curlimages/curl -- \ --silent --request POST \ --data "grant_type=client_credentials" \ --data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \ --data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \ "https://auth.corp.internal/token" \ | jq -r .access-token \ | pbcopy``````