Skip to content

Instantly share code, notes, and snippets.

@martinjras
Forked from fsargent/auth0-kong.md
Last active February 16, 2019 18:15
Show Gist options
  • Save martinjras/3de95c085b95a092d30d594e9ecf2bd5 to your computer and use it in GitHub Desktop.
Save martinjras/3de95c085b95a092d30d594e9ecf2bd5 to your computer and use it in GitHub Desktop.
JWT Validation with Auth0 and Kong

To get setup with Auth0 and Kong.

Kong is pretty cool. Auth0 is pretty cool. They should work together. This guide details the fastest way to get your APIs protected using JWT tokens issued by Auth0.

Pre-requisites:

  • Create a Auth0 account. Account name is referred to "COMPANYNAME" for the sake of the guide.
  • Setup a Kong instance on your machine. This guide assumes a brand new blank instance.
  1. Create API $ curl -i -X POST --url http://localhost:8001/services/ --data 'name=example-service' --data 'url=https://enlet9pi5stvd.x.pipedream.net/'

1.1 Add route curl -i -X POST \ --url http://localhost:8001/services/example-service/routes \ --data 'hosts[]=example.com'

  1. Add JWT Plugin $ http POST :8001/services/example-service/plugins name=jwt

  2. Download your Auth0 account's Certificate $ http https://COMPANYNAME.auth0.com/pem --download

  3. Transform the Certificate into a public key. $ openssl x509 -pubkey -noout -in COMPANYNAME.pem > pubkey.pem

4.1. Yas $ curl -X POST http://127.0.0.1:8001/consumers --data "username=adama"

  1. Create a consumer with the Auth0 public key $ http post :8001/consumers/adama/jwt algorithm=RS256 rsa_public_key@./pubkey.pem key=https://energidata.eu.auth0.com/ -f

  2. Success! Send requests through, only valid tokens will work. $ http GET :8000 Host:example.com Authorization:"Bearer {{TOKEN}}" -v

Wow, that looked so simple, why did you write an article about this?

Becuase this is incredibly hard. Alternative solutions to kong involve:

Integrating your middleware direcly into your codebase. This is hell if you have many APIs. Even worse, you have to audit each library for each programming language. Errors in these libraries are common, and become fatal security holes.

OR

Running a odd custom version of Nginx that supports LUA (https://github.com/auth0/nginx-jwt). Or signing up for Nginx-Plus.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment