UNPKG

microgateway-plugins/extauth/README.md

Version:

5.2 kBMarkdownView Raw

1# extauth plugin
2
3## Summary
4The purpose of the extauth plugin is to allow customers to BYO-JWT or "bring your own JWT" to Edge Microgateway (EM).  
5Although Apigee provides a public certificate and can generate JWTs for you, we also want to allow customers that already have and IDP, which they use to manage developer identities, to be able to send those JWTs to the Edge Microgateway.  In this case the Microgateway should validate your IDPs JWT using the public JWK endpoint, extract the client ID from the JWT and validate that client ID in the oauth plugin.
6
7## JWT & JWK
8A JWT is a JSON Web Token that is encoded, URL-safe, JSON object that contains claims about a subject and it can be used for authentication and authorization.  A JWK (JSON Web Key) is a JSON object that contains a set of keys that can be used to validate a JWT.
9
10View the following links to learn more about [JWTs](https://tools.ietf.org/html/rfc7519) and [JWKs](https://tools.ietf.org/html/rfc7517).
11
12
13## When do I use this plugin?
14You should answer Yes to all the questions below.
15
161. Do you have your own IDP (Okta, Ping, etc. )?
172. Do you want Edge Microgateway to validate your IDP's JWTs?
18
19If you answered yes to the questions above, then you need to use this plugin.
20
21## Process Summary
22
231. Your IDP will generate a JWT via a /token request.
242. You include that JWT on the request to Edge Microgateway.
253. The EM `extauth` plugin will validate the token using the public JWK endpoint.
264. EM will extract the client_id from the JWT.
275. EM will pass the client Id in the x-api-key header.
286. EM `oauth` plugin will validate the client Id
297. If the client Id is valid this it will forward the request to the backend.
30
31## Prerequisites
32Please complete the following tasks before you use this plugin.  
33
341. Create a product, developer and developer app in Apigee Edge. Read our [documentation](https://docs.apigee.com/api-platform/microgateway/2.5.x/setting-and-configuring-edge-microgateway#part2createentitiesonapigeeedge) for details.   
35
362. Import the client Id into Apigee Edge with the following requests. The secret is optional.  Then associate the Client Id to the Apigee product.
37  * [Create the client Id](https://apidocs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/developers/%7Bdeveloper_email_or_id%7D/apps/%7Bapp_name%7D/keys/create)
38  * This will associate the Client Id to the Apigee product. [Add API Product to client Id](https://apidocs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/developers/%7Bdeveloper_email_or_id%7D/apps/%7Bapp_name%7D/keys/%7Bconsumer_key%7D)
39
40## Plugin configuration properties
41The following properties can be set in the `extauth` stanza in the Microgateway configuration file.
42
43```yaml
44extauth:
45  publickey_url: "URL to your JWK endpoint"
46  client_id: "the property name in the JWT that contains the client Id" # defaults to client_id
47  iss: "This should be the same issuer that is included int the JWT."
48  exp: true # can be true or false, but defaults to true; use true to check for the expiry time and send an error if the token is expired.
49  sendErr: true # can be either true or false, but defaults to true; set this to false if you want the extauth plugin to send an error if the JWT is invalid.
50  keepAuthHeader: false # can be true or false; default is false; set this to true if you want to pass the Authorization header to the backend.
51```
52
53## Enable the plugin
54In the EM configuration file (`org-env-config.yaml`) make sure that your plugin sequence is as shown below.
55
56```yaml
57plugins:
58    sequence:
59      - extauth
60      - oauth
61      # other plugins can be listed here
62```
63
64## Configure the plugin
65In the same configuration file you also need to configure the `extauth` plugin in the EM configuration file.  
66
67**Notice that I set the `client_id` property to `sub`, because Okta JWTs include the client Id in the `sub` property.**
68
69```yaml
70extauth:
71  publickey_url: "https://youridp.com/oauth2/default/v1/keys"
72  client_id: "sub"
73  iss: "https://youridp.com/oauth2/default"
74```
75
76
77## Okta example
78This is an example of how I used this plugin with JWTs generated by Okta.  
79
80```yaml
81...
82
83plugins:
84    sequence:
85      - extauth
86      - oauth
87
88...
89
90extauth:
91  publickey_url: "https://yourinstance.oktapreview.com/oauth2/default/v1/keys"
92  client_id: "sub"
93  iss: "https://yourinstance.oktapreview.com/oauth2/default"
94```
95
96
97### Setup a Okta Authorization Server
98[Documentation](https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server)
99
100### Okta Scopes
101[Okta Scopes](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1#whats-a-scope)
102[Create custom Okta scope](https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server#create-scopes-optional)
103
104### Curl to generate an Okta JWT
105```bash
106curl --request POST \
107  --url https://yourokta.oktapreview.com/oauth2/default/v1/token \
108  --header 'accept: application/json' \
109  -u 'clientId:secret' \
110  --header 'accept: application/json' \
111  --header 'cache-control: no-cache' \
112  --header 'content-type: application/x-www-form-urlencoded' \
113  --data 'grant_type=client_credentials&scope=customScope'
114  ```
115
\No newline at end of file

1	`# extauth plugin`
2
3	`## Summary`
4	`The purpose of the extauth plugin is to allow customers to BYO-JWT or "bring your own JWT" to Edge Microgateway (EM).`
5	`Although Apigee provides a public certificate and can generate JWTs for you, we also want to allow customers that already have and IDP, which they use to manage developer identities, to be able to send those JWTs to the Edge Microgateway. In this case the Microgateway should validate your IDPs JWT using the public JWK endpoint, extract the client ID from the JWT and validate that client ID in the oauth plugin.`
6
7	`## JWT & JWK`
8	`A JWT is a JSON Web Token that is encoded, URL-safe, JSON object that contains claims about a subject and it can be used for authentication and authorization. A JWK (JSON Web Key) is a JSON object that contains a set of keys that can be used to validate a JWT.`
9
10	`View the following links to learn more about [JWTs](https://tools.ietf.org/html/rfc7519) and [JWKs](https://tools.ietf.org/html/rfc7517).`
11
12
13	`## When do I use this plugin?`
14	`You should answer Yes to all the questions below.`
15
16	`1. Do you have your own IDP (Okta, Ping, etc. )?`
17	`2. Do you want Edge Microgateway to validate your IDP's JWTs?`
18
19	`If you answered yes to the questions above, then you need to use this plugin.`
20
21	`## Process Summary`
22
23	`1. Your IDP will generate a JWT via a /token request.`
24	`2. You include that JWT on the request to Edge Microgateway.`
25	3. The EM `extauth` plugin will validate the token using the public JWK endpoint.
26	`4. EM will extract the client_id from the JWT.`
27	`5. EM will pass the client Id in the x-api-key header.`
28	6. EM `oauth` plugin will validate the client Id
29	`7. If the client Id is valid this it will forward the request to the backend.`
30
31	`## Prerequisites`
32	`Please complete the following tasks before you use this plugin.`
33
34	`1. Create a product, developer and developer app in Apigee Edge. Read our [documentation](https://docs.apigee.com/api-platform/microgateway/2.5.x/setting-and-configuring-edge-microgateway#part2createentitiesonapigeeedge) for details.`
35
36	`2. Import the client Id into Apigee Edge with the following requests. The secret is optional. Then associate the Client Id to the Apigee product.`
37	`* [Create the client Id](https://apidocs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/developers/%7Bdeveloper_email_or_id%7D/apps/%7Bapp_name%7D/keys/create)`
38	`* This will associate the Client Id to the Apigee product. [Add API Product to client Id](https://apidocs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/developers/%7Bdeveloper_email_or_id%7D/apps/%7Bapp_name%7D/keys/%7Bconsumer_key%7D)`
39
40	`## Plugin configuration properties`
41	The following properties can be set in the `extauth` stanza in the Microgateway configuration file.
42
43	```yaml
44	`extauth:`
45	`publickey_url: "URL to your JWK endpoint"`
46	`client_id: "the property name in the JWT that contains the client Id" # defaults to client_id`
47	`iss: "This should be the same issuer that is included int the JWT."`
48	`exp: true # can be true or false, but defaults to true; use true to check for the expiry time and send an error if the token is expired.`
49	`sendErr: true # can be either true or false, but defaults to true; set this to false if you want the extauth plugin to send an error if the JWT is invalid.`
50	`keepAuthHeader: false # can be true or false; default is false; set this to true if you want to pass the Authorization header to the backend.`
51	```
52
53	`## Enable the plugin`
54	In the EM configuration file (`org-env-config.yaml`) make sure that your plugin sequence is as shown below.
55
56	```yaml
57	`plugins:`
58	`sequence:`
59	`- extauth`
60	`- oauth`
61	`# other plugins can be listed here`
62	```
63
64	`## Configure the plugin`
65	In the same configuration file you also need to configure the `extauth` plugin in the EM configuration file.
66
67	Notice that I set the `client_id` property to `sub`, because Okta JWTs include the client Id in the `sub` property.
68
69	```yaml
70	`extauth:`
71	`publickey_url: "https://youridp.com/oauth2/default/v1/keys"`
72	`client_id: "sub"`
73	`iss: "https://youridp.com/oauth2/default"`
74	```
75
76
77	`## Okta example`
78	`This is an example of how I used this plugin with JWTs generated by Okta.`
79
80	```yaml
81	`...`
82
83	`plugins:`
84	`sequence:`
85	`- extauth`
86	`- oauth`
87
88	`...`
89
90	`extauth:`
91	`publickey_url: "https://yourinstance.oktapreview.com/oauth2/default/v1/keys"`
92	`client_id: "sub"`
93	`iss: "https://yourinstance.oktapreview.com/oauth2/default"`
94	```
95
96
97	`### Setup a Okta Authorization Server`
98	`[Documentation](https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server)`
99
100	`### Okta Scopes`
101	`[Okta Scopes](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1#whats-a-scope)`
102	`[Create custom Okta scope](https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server#create-scopes-optional)`
103
104	`### Curl to generate an Okta JWT`
105	```bash
106	`curl --request POST \`
107	`--url https://yourokta.oktapreview.com/oauth2/default/v1/token \`
108	`--header 'accept: application/json' \`
109	`-u 'clientId:secret' \`
110	`--header 'accept: application/json' \`
111	`--header 'cache-control: no-cache' \`
112	`--header 'content-type: application/x-www-form-urlencoded' \`
113	`--data 'grant_type=client_credentials&scope=customScope'`
114	```
115
\	No newline at end of file