Prepare HTTP Bearer Token Authentication

This how-to will explain how a Bearer Token can be requested from an authentication server. This will be required to connect the Service Catalog to the Service Broker.

Preparations

Have access to an authentication server that has a JWKS endpoint.

Inspect the OpenID configuration

Below are curl commands shown. Depending on your configuration, your authentication server can only be reached from your Kubernetes cluster, but not from your personal computer. In these cases you can refer to the commands just below.

To run curl from your cluster, create an ad-hoc container using kubectl run:

kubectl run \
  --namespace default \
  -i --tty --rm \
  "curl-$(date +%s)" \
  --command /bin/sh \
  --image=quay.io/curlimages/curl --

Now you get a terminal in which you can then run curl commands, for example curl --version.

If you are more comfortable using wget, here’s a solution for that:

kubectl run \
  --namespace default \
  -i --tty --rm \
  "busybox-$(date +%s)" \
  --image=quay.io/prometheus/busybox --

Now you get a terminal in which you can then run wget commands, for example wget --version.

If you (or your company) use an OpenID compliant authentication server, you should be able to learn about the JWKS URL from the .well-known/openid-configuration JSON:

curl https://auth.corp.internal/.well-known/openid-configuration

The JSON will look like this:

{
  "issuer": "auth.corp.internal",
  "token_endpoint": "auth.corp.internal/token", (2)
  "jwks_uri": "auth.corp.internal/jwks", (1)
  "revocation_endpoint": "auth.corp.internal/revoke",
  "scopes_supported": ["openid"],
  "response_types_supported": [],
  "response_modes_supported": [],
  "grant_types_supported": ["client_credentials"],
  "acr_values_supported": [],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "token_endpoint_auth_methods_supported": ["client_secret_post"],
  "token_endpoint_auth_signing_alg_values_supported": ["ES256"],
  "claims_supported": [
    "aud",
    "exp",
    "iat",
    "iss",
    "allow_list",
    "cluster_id",
    "client_id",
    "sub"
  ],
  "code_challenge_methods_supported": []
}

1	Look for the `jwks_uri`. It’s the URL we’re interested in.
2	Also note down the `token_endpoint`. We’ll need it later.

JWK Store

To verify that the Crossplane Service Broker will be able to access this URL, check the response now:

curl https://auth.corp.internal/jwks

This should return a JSON like the following:

The values for x and y have been shortened in the example below.

{
  "keys": [
    {
      "kty": "EC",
      "crv": "P-256",
      "x": "6ze…",
      "y": "O5K…"
    }
  ]
}

Get a Bearer Token

In order to get a Bearer Token, you need to be in the possession of a client_id and a client_secret. Create these on your authentication server or request them from authorized personnel. Those should allow you to request a token from the authentication server on the /token endpoint:

The /token endpoint might be called differently on your server. See the section Inspect the OpenID configuration above and look for the token_endpoint URL.

curl \
  --silent --request POST \
  --data "grant_type=client_credentials" \
  --data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \
  --data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \
  "https://auth.corp.internal/token"

This usually returns a JSON like this:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.zJrV44Lhr1Ck4vg1dMnldql0adLgut241jo0FbFXMlI", (1)
  "token_type": "Bearer",
  "expires_in": 600
}

1	The value-part here is your actual Bearer Token. The quotes (`"`) are just JSON syntax and don’t belong to the token itself.

You can check the content of the token on jwt.io.

Here’s a shortcut to grab the token directly:

kubectl run \
  --namespace default \
  --attach true --rm --quiet \
  "curl-$(date +%s)" \
  --image=docker.io/curlimages/curl -- \
  --silent --request POST \
  --data "grant_type=client_credentials" \
  --data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \
  --data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \
  "https://auth.corp.internal/token" \
| jq -r .access_token

On macOS, you can also copy the token directly to your clipboard like this:

kubectl run \
  --namespace default \
  --attach true --rm --quiet \
  "curl-$(date +%s)" \
  --image=docker.io/curlimages/curl -- \
  --silent --request POST \
  --data "grant_type=client_credentials" \
  --data "client_id=950aaaa5-a656-4a8c-8515-aa505a550a52" \
  --data "client_secret=5a2924a5-050a-445a-aa5a-0a50a445a845" \
  "https://auth.corp.internal/token" \
| jq -r .access-token \
| pbcopy