Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JWT Validation with Auth0 and Kong

To get setup with Auth0 and Kong.

Kong is pretty cool. Auth0 is pretty cool. They should work together. This guide details the fastest way to get your APIs protected using JWT tokens issued by Auth0.

Pre-requisites:

  • Create a Auth0 account. Account name is referred to "COMPANYNAME" for the sake of the guide.
  • Setup a Kong instance on your machine. This guide assumes a brand new blank instance.
  • Install httpie - a http command line utility built for humans (unlike curl).
  1. Create API $ http POST :8001/apis name=example-api hosts=example.com upstream_url=http://httpbin.org

  2. Add JWT Plugin $ http POST :8001/apis/example-api/plugins name=jwt

  3. Download your Auth0 account's Certificate $ http https://COMPANYNAME.auth0.com/pem --download

  4. Transform the Certificate into a public key. $ openssl x509 -pubkey -noout -in COMPANYNAME.pem > pubkey.pem

  5. Create a consumer with the Auth0 public key $ http post :8001/consumers/adama/jwt algorithm=RS256 rsa_public_key@./pubkey.pem key=https://COMPANYNAME.auth0.com/ -f

  6. Success! Send requests through, only valid tokens will work. $ http GET :8000 Host:example.com Authorization:"Bearer {{TOKEN}}" -v

Wow, that looked so simple, why did you write an article about this?

Becuase this is incredibly hard. Alternative solutions to kong involve:

Integrating your middleware direcly into your codebase. This is hell if you have many APIs. Even worse, you have to audit each library for each programming language. Errors in these libraries are common, and become fatal security holes.

OR

Running a odd custom version of Nginx that supports LUA (https://github.com/auth0/nginx-jwt). Or signing up for Nginx-Plus.

@jlsumler

This comment has been minimized.

Copy link

jlsumler commented Dec 4, 2018

Thanks for this handy guide! I tried it today with the kong:latest docker image and step 5 failed. I had to

curl -X POST  http://127.0.0.1:8001/consumers --data "username=adama"

to allow step 5 to work.

@martinjras

This comment has been minimized.

Copy link

martinjras commented Feb 16, 2019

Thank you. Looks great :)

@somada141

This comment has been minimized.

Copy link

somada141 commented Sep 8, 2019

Took me a while to figure it out but just in case anybody tries to do the above with the declarative YAML syntax the kong.yml should look like this:

services:
  - name: my-awesome-service
    url: "https://jsonplaceholder.typicode.com/users"
    routes:
      - name: users
        paths:
          - /users
    plugins:
      - name: jwt

consumers:
  - username: "my_consumer_username"

jwt_secrets:
  - consumer: "my_consumer_username"
    key: "https://COMPANYNAME.auth0.com/"
    algorithm: "RS256"
    rsa_public_key: |-
      -----BEGIN PUBLIC KEY-----
      bunch of letters and numbers
      spread over
      multiple lines
      -----END PUBLIC KEY-----

Do note that the Kong v1.3 seems to be having issues with the above as detailed under Kong/kong#4954. Try v1.2 if you're having errors like the one stated in the issue.

@linuxbandit

This comment has been minimized.

Copy link

linuxbandit commented Jun 19, 2020

Rewritten for Kong 2.x, correcting a new Auth0 URL, and adding point @jlsumler mentioned:

http POST :8001/services name=example-api  url=http://httpbin.org

http POST :8001/services/example-api/routes hosts:='["example.com"]'

http POST :8001/services/example-api/plugins name=jwt

http https://COMPANYNAME.REGION.auth0.com/pem --download    # REGION is 'eu' if servers in Europe, etc

http POST :8001/consumers username=adama

http post :8001/consumers/adama/jwt algorithm=RS256 rsa_public_key@./pubkey.pem key=https://COMPANYNAME.REGION.auth0.com/ -f

How do I get the TOKEN is still unclear to me though, any hint @fsargent?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.