[Tutorial] Securing Rate Limit Actions with JSON Web Tokens (JWT)

Betty Junod | August 10, 2020

Most applications require external users or clients to access a variety of their services and therefore require policies to secure and protect them.  Rate limiting is a strategy implemented in API or Edge Gateways to protect backend services by preventing service outages from being overrun with more requests than it’s resources can process and respond to within the agreed service levels.  

Rate limits can be configured in a variety of ways to limit the volume or requests over a time period to the endpoint, by the client ID, by HTTP method, with integrated security, and more.  In previous posts we tried multiple rate limits by client ID, rate limits to prioritize traffic by HTTP method, and in this post we will secure rate limit actions with JSON Web Tokens (JWT).

 

When to use this use case

Headers are a convenient way to determine the values for rate limit actions and can often require additional security depending on the use case. While Gloo API Gateway has the ability to extensively rate limit on any header coming in, Gloo can also secure the header by encoding the values as claims in a JWT that is passed on in the request and the headers can be derived from the extracted claims after the JWT has been verified. You can provide a secure method for your users to acquire a JWT by setting up the ability for an auth negotiation with a trusted auth provider. 

 

Try this use case

Follow along using this tutorial to try configuring this type of rate limiting policy.

Set up your environment using these instructions. Any self-hosted or cloud managed Kubernetes (our demo uses GKE) with Gloo API Gateway (latest 1.4) installed will work. Then deploy the demo app, add a virtual service to expose via Gloo, and query the service.

Then you’ll use these instructions to set up and test the rate limit configuration and also layer in Open Policy Agent (OPA) and a Web Application Firewall (WAF) to further secure the traffic. 

  • Apply settings with settings-patch-1.yaml to see how headers work
  • Apply rate limit actions on the route with vs-1.yaml
  • Add JWT claims and verification with vs-2.yaml (below)
  • Layer on WAF and OPA with vs-3.yaml

Here is what the YAML looks like with added JWT:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: spelunker
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - '*'
    routes:
      - matchers:
          - prefix: /
        routeAction:
          single:
            upstream:
              name: spelunker-spelunker-80
              namespace: gloo-system
    options:
      jwt:
        providers:
          solo:
            tokenSource:
              headers:
                - header: x-token
              queryParams:
                - token
            claimsToHeaders:
              - claim: type
                header: x-type
              - claim: number
                header: x-number
            issuer: solo.io
            jwks:
              local:
                key: |
                  -----BEGIN PUBLIC KEY-----
                  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdil+UiTSKYKV90YkeZ/
                  9CWvb4XfUgqYDeW/OG1Le+/BvSVkAFc1s3Fg0l9Zo4yvS4OGQszsNGJNl1mYya/L
                  sSTTD7suKLXY7FBTaBB8CQvvW873yRij1F4EaygOJ1ujuFmpgBGvQLSS5rceNaCl
                  Qzo+bmf3z0UGbhCxgsjDsJK2/aW2D/3dep/kF1GyEOGz8fewnwVp0zVyuS4UMidV
                  2cdnAobX2GvPwpjAeIeqhHG3HX4fen+TwU8rkej3y4efKHNj/GbKQmtt2EoOhEox
                  iK/JALlhQNAJqYn+81amRM7wGWeLEByt0+mwyAfnShOr6MFwrhQjsm4orwAx7yHB
                  jwIDAQAB
                  -----END PUBLIC KEY-----
      ratelimit:
        rateLimits:
          - actions:
              - requestHeaders:
                  descriptorKey: type
                  headerName: x-type
          - actions:
              - requestHeaders:
                  descriptorKey: type
                  headerName: x-type
              - requestHeaders:
                  descriptorKey: number
                  headerName: x-number

 

Watch the demo

 

Learn More

We hope you found this tutorial informative and useful in your exploration of API Gateway functionality. You can watch the full webinar featuring this demo here and sign up for an upcoming webinar here.

Back to Blog