Step 12 - JWT authorization

In this lab we will configure our services to use JSON Web Tokens (JWTs) to authenticate requests.

Note

JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing claims securely between two parties.

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information.

OAuth (short for “Open Authorization”[1][2]) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

OAUTH with OIDC issues JWTs for authentiction requests that your applications can leverage for authentication and authorization purposes.

In the following labs, Keycloak is already configured to issue JWT tokens for developers.

Add JWT Policy on API-Proxy

  1. Edit the API-Proxy v2 instance like previously (we will enable JWT auth only on version 2; version 1 will remain configured with API Key authentication)

  2. In Policies, remove both the APIKey and the Rate Limit polices. Click Save and Publish after both policies have been removed.

  3. Add a new JSON Web Token Assertion policy

  4. For JWKS Sets, choose Enter JSON Web Key Sets (JWKS) and paste the JSON below.

    Note

    You can retrieve this JWKS from the Keycloak endpoint http://10.1.1.4:8080/realms/devportal/protocol/openid-connect/certs

    {
        "keys": [
            {
            "kid": "7lVSKvEvLfUPne72Jjm_J0qKtokfhxozDLaFvGqvoO4",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "uoiH5jIEuFaKjRMZB-8V17ay7tvv6EPPj_9synlFUgJ7FqD39lQ9Mw_6yM3rTIMKo-7G1m2gD3-pz_jg--J0kaikYIy_YMKWge2RJ9NaEzG76gtlb7Hlnc5hbI3ps3-xiMwOJR8Bv1mEFvKsZcyAvfE5UlIcmAwmT1ZkNfPyDxs2V2ry-GEPF4C6KBMuf2OniqpWxw5Dt53Jpzm2udZNj3F4DSA9QmIQg9YQ_B2nKjCTiB-DFrnaHC0OGRX0ejZYCA4hXeuJ1lhTL7rAaZabWU2hObMHg6jEtY_tFECpevpTcTvht1cKB-IHLtBW3jEu14KSqLpNq8BqFPZcwyPwuw",
            "e": "AQAB",
            "x5c": [
                "MIICoTCCAYkCBgGD6eoPGjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlkZXZwb3J0YWwwHhcNMjIxMDE4MDcwNDM0WhcNMzIxMDE4MDcwNjE0WjAUMRIwEAYDVQQDDAlkZXZwb3J0YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iIfmMgS4VoqNExkH7xXXtrLu2+/oQ8+P/2zKeUVSAnsWoPf2VD0zD/rIzetMgwqj7sbWbaAPf6nP+OD74nSRqKRgjL9gwpaB7ZEn01oTMbvqC2VvseWdzmFsjemzf7GIzA4lHwG/WYQW8qxlzIC98TlSUhyYDCZPVmQ18/IPGzZXavL4YQ8XgLooEy5/Y6eKqlbHDkO3ncmnOba51k2PcXgNID1CYhCD1hD8HacqMJOIH4MWudocLQ4ZFfR6NlgIDiFd64nWWFMvusBplptZTaE5sweDqMS1j+0UQKl6+lNxO+G3VwoH4gcu0FbeMS7XgpKouk2rwGoU9lzDI/C7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJISxPKqs1K2HrJ1GU00lavJM2LF1Dz1hvEs2FFkcmhq27SM7ziWh3NVM1J5U4zAPdOfJwkEf9ovF+O4Z5p/61rHlOP3k17VM54xWoz2XSWQRguDaqFIk6RMPni+zIZ2PRMUz2ZsPhNSBQciNjlfTajXI+HL2sNlvdPXlqfj1yDh7dOFgZBbWgp/jXQBEMJvZeLL+shMgAe478VFef1R53x22ZdPtSZtHIrNMrwPjuGMlVFoBeSQAh62JlxQXgg43GAzTf/n4y/dKzuraPAQ3TvD+g+BBoRaFnimHM6IWgXesUlPmVrQQzBKc4mxMhXaN1mywlnHhoa/ZaocLhjKgdY="
            ],
            "x5t": "FUc7qc4WAUbfI5rWJDI2P7VjLtc",
            "x5t#S256": "RLJDJ2UtPIGUVaUy5sszwVaKIVjusnMhVlNYnNEmgDw"
            },
            {
            "kid": "X5tnnuP61grNvVl6XKmo1wyfDul_tjBo4IYrsrlh778",
            "kty": "RSA",
            "alg": "RSA-OAEP",
            "use": "enc",
            "n": "rBkzP0h19c58RApzgGJGb8kJxSH4ZNxv3gjxRKFirxgp91EK-ectweYhMGa2FSQdk8bKkKidH_D-vkemjv2cjgeO7zmGH-tOsYCuJZ9Sugie6TDO4_Hq2QsjDiGz2wB54YlM4TzE9NEzZ7ULf3c8JLBc6IXNG0SgO3v2_Vqec6CzcH76EYgpRivHRjSP7yyWnQXkt-ca08tckwXV-CmYI0BvimEQrMkcWSU82K8889Rhl7Vf_3wYzMu2VLRshmUPVfrq3sWFEpTkiGRmuJskNhlvsJKbptNdDXSfJFv9TR9mFoPpBCYAEISiCl7mYKNf4yvffmjGNfJkk1UhswnJmw",
            "e": "AQAB",
            "x5c": [
                "MIICoTCCAYkCBgGD6eoQJDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlkZXZwb3J0YWwwHhcNMjIxMDE4MDcwNDM0WhcNMzIxMDE4MDcwNjE0WjAUMRIwEAYDVQQDDAlkZXZwb3J0YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsGTM/SHX1znxECnOAYkZvyQnFIfhk3G/eCPFEoWKvGCn3UQr55y3B5iEwZrYVJB2TxsqQqJ0f8P6+R6aO/ZyOB47vOYYf606xgK4ln1K6CJ7pMM7j8erZCyMOIbPbAHnhiUzhPMT00TNntQt/dzwksFzohc0bRKA7e/b9Wp5zoLNwfvoRiClGK8dGNI/vLJadBeS35xrTy1yTBdX4KZgjQG+KYRCsyRxZJTzYrzzz1GGXtV//fBjMy7ZUtGyGZQ9V+urexYUSlOSIZGa4myQ2GW+wkpum010NdJ8kW/1NH2YWg+kEJgAQhKIKXuZgo1/jK99+aMY18mSTVSGzCcmbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKT9yLU9LL3lBWkimcohu9Bc/EsNtRi7FAPiaH3vttOCvuXShA4LD4qoIx4qPMWE9EIOywC7p+NH+piekD/YVg9mcoTWPG1rug2mzHfRdRRhJli6UnaX3uKGLis1Nqsob2k5elha67cEbPekLC8cHaB7poiV2T5uTEpwcOLM84U+eRBUCrKWAMnGmFt9vvl3MAb/vK5ObSZI0USUi0AjBDNw6FTpf3qzSK3E3wwbnMcgphIxfTJaGLWMAndNu7jxVw1FjGAPtx+dBY6nmoTrJDVkCmktIyItnF/RBt6MKwTmfPzAkbAqIOxiBG7ITON8DG0CypdEAHXOo5ageRzIZRA="
            ],
            "x5t": "hWnR0Dd0ovR_DrHIln2NDsMmdnE",
            "x5t#S256": "_NO4MyR8k8d6sIcRg2tK5NvJTY39DcvbiNtVgZ8ZzWg"
            }
        ]
    }
    
  5. Click Add

  6. Click Save and Publish

Check what happened in the Dev Portal

  1. In the Dev Portal, check what happened for the API Key on Version 2

  2. As you can see, as the API Key policy has been deleted, the API Key for Version 2 has been removed from the Dev Portal, and a warning is displayed

    ../../../_images/key-deleted.png

Test JWT auth out with Postman

  1. In Postman, select the call GET Colors and check the version is v2 http://api.sentence.com/v2/api/colors

  2. In Authorization, select type OAuth 2.0

    Note

    As you can notice, the Postman OAuth v2.0 client is already set to request JWT against Keycloak

  3. Scroll down and click on Get New Access Token

    ../../../_images/get-access.png
  4. Authenticate as dev1 and password dev1

    ../../../_images/login.png
  5. Click Proceed, then Use Token

    ../../../_images/use-token.png
  6. Send the request. It should pass.

    ../../../_images/send.png

Note

Congratulations, you configured your API Gateway to validate the JWT token from Keycloak.

Note

Check your Version 1 is still using API Key authentication. Note the /colors endpoint is not available v1.