Authenticate requests from Dapr using token authentication

    For some building blocks such as pub/sub, service invocation and input bindings, Dapr communicates with an app over HTTP or gRPC. To enable the application to authenticate requests that are arriving from the Dapr sidecar, you can configure Dapr to send an API token as a header (in HTTP requests) or metadata (in gRPC requests).

    Dapr uses JWT tokens for API authentication.

    To configure API authentication, start by generating your token using any JWT token compatible tool (e.g. ) and your secret.

    Configure app API token authentication in Dapr

    The token authentication configuration is slightly different for either Kubernetes or self-hosted Dapr deployments:

    In self-hosting scenario, Dapr looks for the presence of environment variable. If that environment variable is set while daprd process launches, Dapr includes the token when calling an app:

    Kubernetes

    In Kubernetes deployment, Dapr leverages Kubernetes secrets store to hold the JWT token. Start by creating a new secret:

    1. kubectl create secret generic app-api-token --from-literal=token=<token>

    To indicate to Dapr to use the token in the secret when sending requests to the app, add an annotation to your Deployment template spec:

    1. annotations: 
    2.   dapr.io/enabled: "true"

    When deployed, the Dapr Sidecar Injector automatically creates a secret reference and injects the actual value into APP_API_TOKEN environment variable.

    To rotate the configured token in self-hosted, simply set the APP_API_TOKEN environment variable to the new value and restart the daprd process.

    Kubernetes

    To rotate the configured token in Kubernates, update the previously created secret with the new token in each namespace. You can do that using kubectl patch command, but the easiest way to update these in each namespace is by using manifest:

    And then apply it to each namespace:

    1. kubectl apply --file token-secret.yaml --namespace <namespace-name>

      Authenticating requests from Dapr

      Once app token authentication is configured in Dapr, all requests coming from Dapr include the token:

      In case of HTTP, inspect the incoming request for presence of parameter in HTTP header:

      gRPC

      When using gRPC protocol, inspect the incoming calls for the API token on the gRPC metadata:

      1. dapr-api-token[0].

      In Kubernetes, it’s recommended to mount the secret to your pod as an environment variable. Assuming we created a secret with the name app-api-token to hold the token:

      1. containers:
      2.   - name: mycontainer
      3.     image: myregistry/myapp
      4.     envFrom:
      6.       name: app-api-token

      Self-hosted

      In self-hosted mode, you can set the token as an environment variable for your app:

      Related Links