0

I have a list of API's running in kubernetes behind a service (under different paths). Azure is our identity provider, and our clients are using client-credentials OAuth2 flow to generate the OAuth token and send to API, where authorization checks take place. Each of our APIs needs a different SLA for each user. Hence I am looking to rate-limit the API's per client-id that is encoded in the token (azp is the claim under which client-id is present for Azure v2.0 tokens)

We are already using Envoy as ingress gateway in our kubernetes cluster, but that supports only global or per-ip rate-limiting. We also looked at nginx, but did not find much difference. ChatGPT suggested other gateways like Tyk and Apigee-edge, but they don't seem to have this functionality. The closest suggestion given was to use Kong gateway, which rate-limits based on consumer-groups (but I did not find anything in Kong documentation about per OAuth client rate-limiting, or how a consumer can map to client-id).

Does any API gateway support such rate-limiting feature?

Pravin Kumar
  • 137
  • 2
  • 13
  • this question seems similar https://stackoverflow.com/questions/48005461/how-to-enable-user-level-rate-limiting-in-istio – akathimi Feb 02 '23 at 10:28
  • Slightly similar, but in my case the oauth/jwt token in the request header will be encoded. So I will have to decode it somehow, get the client-id from the claims, and configure rate-limiting based on that. Not sure if istio allows such customized extensions. – Pravin Kumar Feb 03 '23 at 05:10

1 Answers1

0

You can extend nginx with Lua scripting. I've not used it for this specifically, but it occurs to me that you can run a Lua script to parse the JWT and then use the client-id as the zone key for the normal nginx rate-limiting feature.

Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380