archmangler/gist:0aad76e3b019eb16e7607cac001e66c8

## gistfile1.txt

#NGINX+ Configuration:


```
upstream api_server {
    server 10.42.0.63;
}

#access log custom formatting example
log_format jwt '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
               '$jwt_header_alg $jwt_claim_sub';

#client rate limit requests based on JWT subclaim claims
limit_req_zone $jwt_claim_sub zone=1rps_per_client:1m rate=1r/s;

map $jwt_claim_iss $valid_jwt_iss {
    "fdfdfd" "lolclolcapigw";
}

server {
    listen 80;

    location /products/ {

        proxy_pass http://api_server;
        auth_jwt "lolc";

        #1. manually provided jwk
        #auth_jwt_key_file api_secret.jwk;

        #2. To be tested
        #auth_jwt_type encrypted;

        #3. In progress/testing: Keycloak JWKS provider
        auth_jwt_key_request /jwks_uri;

        #4. Custom access log formats for JWT
        access_log /var/log/nginx/access_jwt.log jwt;

        #5. In progress (JWT subclaims - client rate limits)
        limit_req zone=1rps_per_client;

        #6. act on attributes
        auth_jwt_require $valid_jwt_iss;
    }

    location = /jwks_uri {
            internal;
            proxy_ssl_verify off;
            proxy_pass  https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/certs;
    }

}
```

#Curl bearer Token request:

```

curl -k -L -X POST 'https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/token'
    -H 'Content-Type: application/x-www-form-urlencoded'
    --data-urlencode 'client_id=acnapigw'
    --data-urlencode 'grant_type=password'
    --data-urlencode 'client_secret=89fed70d-0a31-4b87-ba33-10e41af386d1'
    --data-urlencode 'scope=hkjcapi'
    --data-urlencode 'username=acnapigw'
    --data-urlencode 'password=H4ck3rJ4ck##'
```


#Curl service request using bearer token:

```
curl -H "Authorization: Bearer ..." http://127.0.0.1:60988/products/
```

	#NGINX+ Configuration:


	```
	upstream api_server {
	server 10.42.0.63;
	}

	#access log custom formatting example
	log_format jwt '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
	'$jwt_header_alg $jwt_claim_sub';

	#client rate limit requests based on JWT subclaim claims
	limit_req_zone $jwt_claim_sub zone=1rps_per_client:1m rate=1r/s;

	map $jwt_claim_iss $valid_jwt_iss {
	"fdfdfd" "lolclolcapigw";
	}

	server {
	listen 80;

	location /products/ {

	proxy_pass http://api_server;
	auth_jwt "lolc";

	#1. manually provided jwk
	#auth_jwt_key_file api_secret.jwk;

	#2. To be tested
	#auth_jwt_type encrypted;

	#3. In progress/testing: Keycloak JWKS provider
	auth_jwt_key_request /jwks_uri;

	#4. Custom access log formats for JWT
	access_log /var/log/nginx/access_jwt.log jwt;

	#5. In progress (JWT subclaims - client rate limits)
	limit_req zone=1rps_per_client;

	#6. act on attributes
	auth_jwt_require $valid_jwt_iss;
	}

	location = /jwks_uri {
	internal;
	proxy_ssl_verify off;
	proxy_pass https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/certs;
	}

	}
	```

	#Curl bearer Token request:

	```

	curl -k -L -X POST 'https://10.43.205.111:58412/auth/realms/lolc/protocol/openid-connect/token'
	-H 'Content-Type: application/x-www-form-urlencoded'
	--data-urlencode 'client_id=acnapigw'
	--data-urlencode 'grant_type=password'
	--data-urlencode 'client_secret=89fed70d-0a31-4b87-ba33-10e41af386d1'
	--data-urlencode 'scope=hkjcapi'
	--data-urlencode 'username=acnapigw'
	--data-urlencode 'password=H4ck3rJ4ck##'
	```


	#Curl service request using bearer token:

	```
	curl -H "Authorization: Bearer ..." http://127.0.0.1:60988/products/
	```