Kong is pretty cool. Auth0 is pretty cool. They should work together. This guide details the fastest way to get your APIs protected using JWT tokens issued by Auth0.
Pre-requisites:
- Create a Auth0 account. Account name is referred to "COMPANYNAME" for the sake of the guide.
- Setup a Kong instance on your machine. This guide assumes a brand new blank instance.
- Install httpie - a http command line utility built for humans (unlike curl).
-
Create API
$ http POST :8001/apis name=example-api hosts=example.com upstream_url=http://httpbin.org
-
Add JWT Plugin
$ http POST :8001/apis/example-api/plugins name=jwt
-
Download your Auth0 account's Certificate
$ http https://COMPANYNAME.auth0.com/pem --download
-
Transform the Certificate into a public key.
$ openssl x509 -pubkey -noout -in COMPANYNAME.pem > pubkey.pem
-
Create a consumer with the Auth0 public key
$ http post :8001/consumers/adama/jwt algorithm=RS256 rsa_public_key@./pubkey.pem key=https://COMPANYNAME.auth0.com/ -f
-
Success! Send requests through, only valid tokens will work.
$ http GET :8000 Host:example.com Authorization:"Bearer {{TOKEN}}" -v
Wow, that looked so simple, why did you write an article about this?
Becuase this is incredibly hard. Alternative solutions to kong involve:
Integrating your middleware direcly into your codebase. This is hell if you have many APIs. Even worse, you have to audit each library for each programming language. Errors in these libraries are common, and become fatal security holes.
OR
Running a odd custom version of Nginx that supports LUA (https://github.com/auth0/nginx-jwt). Or signing up for Nginx-Plus.
Thanks for this handy guide! I tried it today with the
kong:latest
docker image and step 5 failed. I had tocurl -X POST http://127.0.0.1:8001/consumers --data "username=adama"
to allow step 5 to work.