Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Can you explain the process of using JSON Web Tokens with Gloo Gateway for DeepSeek-R1


Can you explain the process of using JSON Web Tokens with Gloo Gateway for DeepSeek-R1


Using JSON Web Tokens (JWTs) with Gloo Gateway for DeepSeek-R1 involves several steps to ensure secure authentication and authorization. Here's a detailed guide on how to implement this process:

Understanding JWTs

JSON Web Tokens are self-contained, stateless tokens that carry all necessary information for authentication and authorization within the token itself[4]. They consist of three parts: a header, a payload, and a signature. The header specifies the algorithm used for signing, the payload contains the claims or data, and the signature is generated by signing the header and payload with a secret key.

Generating JWTs for DeepSeek-R1

To use JWTs with DeepSeek-R1 via Gloo Gateway, you first need to generate a JWT. Here’s how you can do it:

1. Create a JSON Payload: Define the payload with the necessary claims, such as user ID or any other relevant information. 

json
   {
     "userId": "abcd123",
     "expiry": 1646635611301
   }

2. Generate a Signing Key: Use a secure method to generate a signing key. For demonstration purposes, you can use a tool like OpenSSL to create a private key, but in production, use secure secret management tools[1][4]. 

bash
   openssl genrsa 2048 > private-key.pem

3. Sign the JWT: Use a library like PyJWT in Python to sign the JWT with your private key. Ensure you use a secure algorithm like RS256 for RSA keys. 

python
   import jwt

   # Load private key
   with open("private-key.pem", "r") as f:
     private_key = f.read()

   # Define payload
   payload = {
     "userId": "abcd123",
     "exp": 1646635611301
   }

   # Sign JWT
   jwt_token = jwt.encode(payload, private_key, algorithm="RS256")

Configuring Gloo Gateway

Next, you need to configure Gloo Gateway to verify these JWTs. Here’s how you can do it:

1. Convert Private Key to Public Key: Convert your private key to a public key for verification purposes. 

bash
   openssl rsa -in private-key.pem -pubout -out public-key.pem

2. Use a JWKS Server: For scalability, use a JSON Web Key Set (JWKS) server to manage your public keys. This allows for easier key rotation and management[1].

3. Configure Gloo Gateway: In your Gloo Gateway configuration, specify the JWKS server URL or include the public key directly in the Virtual Service definition. This will enable Gloo to verify incoming JWTs. 

yaml
   # Example of including a public key directly
   apiVersion: gateway.solo.io/v1
   kind: VirtualService
   metadata:
     name: example-vs
   spec:
     jwt:
       providers:
         - issuer: "your-issuer"
           audiences:
             - "your-audience"
           remoteJwks:
             url: "https://your-jwks-server.com/.well-known/jwks.json"

4. Implement Authentication and Authorization: Use Gloo Gateway’s RBAC (Role-Based Access Control) policies to define access rules based on the verified JWT claims[1].

Securing DeepSeek-R1 with Gloo Gateway

To secure DeepSeek-R1, Gloo Gateway acts as an intermediary, providing additional security features:

1. API Key Management: Instead of exposing DeepSeek API keys directly, Gloo Gateway can securely manage and rotate these keys[7].

2. Prompt Management and Guardrails: Implement prompt guards to filter out inappropriate requests and ensure that only authorized data is sent to DeepSeek-R1[3].

3. Traffic Routing: Route traffic to either a public or self-hosted DeepSeek model without exposing the underlying infrastructure to clients[3].

By integrating JWT authentication with Gloo Gateway for DeepSeek-R1, you enhance security, control, and scalability in your AI deployment.

Citations:
[1] https://docs.solo.io/gloo-edge/main/guides/security/auth/jwt/access_control/
[2] https://www.vellum.ai/blog/the-training-of-deepseek-r1-and-ways-to-use-it
[3] https://www.solo.io/blog/navigating-deepseek-r1-security-concerns-and-guardrails
[4] https://supertokens.com/blog/what-is-jwt
[5] https://github.com/solo-io/workshops/blob/master/gloo-edge/README.md
[6] https://meetcody.ai/blog/deepseek-r1-api-pricing/
[7] https://www.bigdatawire.com/this-just-in/solo-io-releases-gloo-ai-gateway-to-optimize-ai-deployment-and-ensure-governance-controls/
[8] https://kgateway.dev/docs/reference/api/top-level/settings.proto.sk/
[9] https://docs.solo.io/gloo-edge/main/guides/security/auth/jwt/
[10] https://www.reddit.com/r/LLMDevs/comments/1i6duzp/anyone_know_how_to_setup_deepseekr1_on/
[11] https://www.solo.io/resources/video/demo-video-navigating-deepseek-r1-security-concerns-and-guardrails