I have a scenario where mTLS authentication between a B2B (client) and NGINX API gateway is required on one side of the auth flow to access a resource from an API endpoint (behind the nginx api gateway) and JWT authorization is required between the nginx api gateway and the IdP (keycloak) and the API endpoint hosting the url resource.
So it appears there will be mtls authentication for new clients connecting to the API gateway, and then the authorization flow between the API gateway and the IdP and the API endpoint/microservice will occur via a JWT flow. To summarise:
- MTLS authentication happens between B2B client and API gateway
- If mtls auth is successful: The API gateway requests a JWT token from the IdP (?)
- The IdP authenticates the request from the API Gateway and
- Responds with a JWT token containing the correct scopes for authorization
- The API gateway requests the resource from an API endpoint/microservice using the JWT token to provide authorization details
- Resource is returned and proxied back to the client ...
The closest model I can find for this scenario is the "Phantom token" scenario described here:
https://curity.io/resources/learn/phantom-token-pattern/
(Except that in my scenario, a phantom token is somehow generated in response to a successful mtls authentication by the client)
My questions are:
a) Does this scenario even make sense? If so, for what use cases?
b) If so, how would the NGINX Plus/NGINX configuration look like for this?
Background:
- I understand that mtls would be used to handle the auth flow for the complete authentication
- an alternative would be to use JWT authentication+ authorisation instead of mtls
My confusion is why/how one would want to use both of these for API Gateway authX ?