This directory contains demo scenarios showing AuthBridge providing zero-trust authentication for Kubernetes agent workloads. Each demo progressively introduces more AuthBridge capabilities.
Note: These demos use the
authbridge-unifiedimage with operator-injected sidecars. Seecmd/authbridge/README.mdfor details on the unified authbridge binary.
| Demo | Difficulty | What It Shows | Deployment |
|---|---|---|---|
| Weather Agent | Beginner | Inbound JWT validation, automatic identity registration, outbound passthrough | UI |
| Weather Agent (advanced) | Intermediate | Inbound on agent and tool, outbound token exchange, ingress JWT verification on the tool | kubectl + script |
| GitHub Issue Agent | Intermediate | Inbound validation + outbound token exchange + scope-based access control | UI or Manual |
| Webhook | Intermediate | Webhook-based sidecar injection with auth-target demo app | Manual |
| Single Target | Advanced | Manual AuthBridge deployment (no webhook) with SPIFFE identity | Manual |
| Multi-Target | Advanced | Route-based token exchange to multiple target services | Manual |
New to AuthBridge? Start with the demos in this order:
-
Weather Agent — Fastest way to see AuthBridge in action. Deploys via the Kagenti UI with inbound JWT validation protecting the agent. No token exchange configuration needed; outbound traffic uses the default passthrough policy.
-
GitHub Issue Agent — Full AuthBridge demo with inbound validation and outbound token exchange. Shows how AuthBridge transparently exchanges tokens when the agent calls the GitHub tool, with scope-based access control (Alice vs Bob).
-
Multi-Target — Advanced routing with per-host token exchange configuration. Shows how a single agent can communicate with multiple target services, each requiring different audience tokens.
- Deploy agent + tool via Kagenti UI
- AuthBridge inbound JWT validation (signature, issuer, audience)
- Automatic SPIFFE identity registration with Keycloak
- Default outbound passthrough — agents work out-of-the-box with any tool or LLM
- CLI testing: public endpoints, token rejection, valid token
- Same images as the beginner demo, separate
*-advancedDeployments so the getting-started flow stays untouched - Outbound token exchange to the tool SPIFFE audience (
authproxy-routes) - AuthBridge injected on the MCP tool — JWT checks at Envoy before the tool process
deploy_and_verify_advanced.shfor reproducible CI-style verification (Keycloak exchange + MCPinitializewithout requiring a working LLM)
- Deploy agent + tool via Kagenti UI or kubectl
- Keycloak configuration for token exchange (realm, clients, scopes)
- Inbound JWT validation protecting the agent
- Outbound OAuth 2.0 token exchange (RFC 8693) — agent-scoped token exchanged for tool-scoped token
- Subject preservation through exchange (
subclaim maintained) - Scope-based access control: Alice (public repos) vs Bob (all repos)
- Comprehensive CLI testing and AuthProxy log verification
- Demonstrates the kagenti-operator sidecar injection mechanism
- Deploys a generic agent + auth-target (not a real-world agent)
- Tests inbound validation and outbound token exchange end-to-end
- Good for understanding the injection labels and ConfigMap requirements
- Manual deployment without the webhook (all sidecars in the YAML)
- SPIFFE-based identity with SPIRE
- Single agent → single target with token exchange
- Good for understanding AuthBridge internals
- Route-based token exchange using
authproxy-routesConfigMap - One agent communicating with multiple target services
- Each target gets a token with the correct audience
- Uses
keycloak_sync.pyfor declarative scope management
All demos require:
- A Kubernetes cluster with the Kagenti platform installed (Installation Guide)
- Keycloak deployed in the
keycloaknamespace - SPIRE deployed (for demos using SPIFFE identity)
UI-based demos additionally require:
- The Kagenti UI running at
http://kagenti-ui.localtest.me:8080
Most demos need Keycloak accessible at http://keycloak.localtest.me:8080.
If not already available via an ingress:
kubectl port-forward service/keycloak-service -n keycloak 8080:8080Demos that configure Keycloak need a Python virtual environment:
cd authbridge
python -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt- AuthBridge Overview — Architecture and design
- AuthBridge Binary — Unified authbridge binary supporting ext_proc, ext_authz, and proxy modes
- Kagenti Operator — Admission webhook for sidecar injection (migrated from this repo)