Felix Sargent

Kong for validating Auth0 JWTs

April 26, 2017

Kong is pretty cool. Auth0 is pretty cool. They should work together. This guide details the fastest way to get your APIs to validate JWT tokens issued by Auth0.

Pre-requisites:

• Create a Auth0 account. The account name is referred to “COMPANYNAME” for the sake of the guide.
• Setup a Kong instance on your machine. This guide assumes a brand new blank instance.
• Install httpie — a http command line utility built for humans (unlike curl).

Setup

1. Create an API
   $ http POST :8001/apis name=example-api hosts=example.com upstream_url=http://httpbin.org
2. Add the JWT Plugin
   $ http POST :8001/apis/example-api/plugins name=jwt
3. Download your Auth0 account certificate
   $ http https://COMPANYNAME.auth0.com/pem --download
4. Transform the certificate into a public key.
   $ openssl x509 -pubkey -noout -in COMPANYNAME.pem > pubkey.pem
5. Create a consumer with the Auth0 public key
   $ http post :8001/consumers/adama/jwt algorithm=RS256 rsa_public_key@./pubkey.pem key=https://COMPANYNAME.auth0.com/ -f
6. Success! Send requests through, only requests with valid tokens will work.
   $ http GET :8000 Host:example.com Authorization:"Bearer " -v

Wow, that looked so simple, why did you write an article about this?

Becuase this is surprisingly obscure. Alternative solutions to Kong involve:

Integrating your middleware directly into your codebase. This is hell if you have many APIs. You have to audit each library for each programming language. Critical vulnerabilities in these libraries are common.

You could run a version of Nginx that supports LUA . Or you could sign up for Nginx-Plus.

Tyk may be a viable alternative, though their JWT documentation appears broken as of publication.