NGINX Plus JWT Authentication Flow Example

gistfile1.txt

#NGINX+ Configuration:


```
upstream api_server {
    server 10.42.0.63;
}

#access log custom formatting example
log_format jwt '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
               '$jwt_header_alg $jwt_claim_sub';

#client rate limit requests based on JWT subclaim claims
limit_req_zone $jwt_claim_sub zone=1rps_per_client:1m rate=1r/s;

map $jwt_claim_iss $valid_jwt_iss {
    "fdfdfd" "lolclolcapigw";
}

server {
    listen 80;

    location /products/ {

        proxy_pass http://api_server;
        auth_jwt "lolc";

        #1. manually provided jwk
        #auth_jwt_key_file api_secret.jwk;

        #2. To be tested
        #auth_jwt_type encrypted;
       
        #3. In progress/testing: Keycloak JWKS provider
        auth_jwt_key_request /jwks_uri;

        #4. Custom access log formats for JWT
        access_log /var/log/nginx/access_jwt.log jwt;
  
        #5. In progress (JWT subclaims - client rate limits)
        limit_req zone=1rps_per_client;

        #6. act on attributes 
        auth_jwt_require $valid_jwt_iss;
    }

    location = /jwks_uri {
            internal;
            proxy_ssl_verify off;
            proxy_pass  https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/certs;
    }
    
}
```

#Curl bearer Token request:

```

curl -k -L -X POST 'https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/token' 
    -H 'Content-Type: application/x-www-form-urlencoded' 
    --data-urlencode 'client_id=acnapigw' 
    --data-urlencode 'grant_type=password' 
    --data-urlencode 'client_secret=89fed70d-0a31-4b87-ba33-10e41af386d1' 
    --data-urlencode 'scope=hkjcapi' 
    --data-urlencode 'username=acnapigw' 
    --data-urlencode 'password=H4ck3rJ4ck##'
```


#Curl service request using bearer token:

```
curl -H "Authorization: Bearer ..." http://127.0.0.1:60988/products/
```