github.com/hellofresh/janus@v0.0.0-20230925145208-ce8de8183c67/docs/auth/oauth.md

github.com/hellofresh/janus@v0.0.0-20230925145208-ce8de8183c67/docs/auth/oauth.md (about)

     1  # OAuth 2.0
     2  
     3  
     4  ## 1. Add your OAuth Server
     5  
     6  The main feature of the API Gateway is to proxy the requests to a different service, so let's do this.
     7  Now that you are authenticated, you can send a request to `/oauth/servers` to create a proxy.
     8  
     9  {% codetabs name="HTTPie", type="bash" -%}
    10  http -v POST localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json" < examples/front-proxy-auth/auth/auth.json
    11  {%- language name="CURL", type="bash" -%}
    12  curl -X "POST" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d  @examples/front-proxy-auth/auth/auth.json
    13  {%- endcodetabs %}
    14  
    15  ## 2. Verify that your API has been added
    16  
    17  You can use the REST API to query all available APIs and Auth Providers. Simply make a request to `/oauth/servers`.
    18  
    19  {% codetabs name="HTTPie", type="bash" -%}
    20  http -v GET localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json"
    21  {%- language name="CURL", type="bash" -%}
    22  curl -X "GET" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json"
    23  {%- endcodetabs %}
    24  
    25  ## 3. Forward your requests through Janus
    26  
    27  Issue the following cURL request to verify that Janus is properly forwarding
    28  requests to your OAuth Server.
    29  
    30  This request is an example of a simple `client_credentials` flow of [OAuth 2.0](), you can try any flow that you like.
    31  
    32  {% codetabs name="HTTPie", type="bash" -%}
    33  http -v GET http://localhost:8080/auth/token?grant_type=client_credentials "Authorization: Basic YourBasicToken"
    34  {%- language name="CURL", type="bash" -%}
    35  curl -X "GET" http://localhost:8080/auth/token?grant_type=client_credentials -H "Authorization: Basic YourBasicToken" -H "Content-Type: application/json"
    36  {%- endcodetabs %}
    37  
    38  # Reference
    39  
    40  | Configuration                 | Description                                                                               |
    41  |-------------------------------|-------------------------------------------------------------------------------------------|
    42  | name                          | The unique name of your OAuth Server                                                      |
    43  | oauth_endpoints.authorize     | Defines the [proxy configuration](/docs/config/proxy.md) for the `authorize` endpoint     |
    44  | oauth_endpoints.token         | Defines the [proxy configuration](/docs/config/proxy.md) for the `token` endpoint         |
    45  | oauth_endpoints.introspection | Defines the [proxy configuration](/docs/config/proxy.md) for the `introspection` endpoint |
    46  | oauth_endpoints.revoke        | Defines the [proxy configuration](/docs/config/proxy.md) for the `revoke` endpoint        |
    47  | oauth_client_endpoints.create | Defines the [proxy configuration](/docs/config/proxy.md) for the `create` client endpoint |
    48  | oauth_client_endpoints.remove | Defines the [proxy configuration](/docs/config/proxy.md) for the `remove` client endpoint |
    49  | allowed_access_types          | The allowed access types for this oauth server                                            |
    50  | allowed_authorize_types       | The allowed authorize types for this oauth server                                         |
    51  | auth_login_redirect           | The auth login redirect URL                                                               |
    52  | secrets                       | A map of client_id: client_secret that allows you to authenticate only with the client_id |
    53  | token_strategy.name           | The token strategy for this server. Could be `introspection` or `jwt`                     |
    54  | token_strategy.settings       | Token strategy settings, see bellow by strategy                                           |
    55  | token_strategy.leeway         | Token date fields validation leeway to solve clock skew problem                           |
    56  
    57  ## Token Strategy Settings
    58  
    59  ### `jwt`
    60  
    61  JWT token validation strategy performs token validation against signature and expiration date. Currently the following
    62  signature methods are supported:
    63   
    64  * `HS256` - HMAC with SHA256 hash (symmetric key)
    65  * `HS384` - HMAC with SHA384 hash (symmetric key)
    66  * `HS512` - HMAC with SHA512 hash (symmetric key)
    67  * `RS256` - RSA with SHA256 hash (asymmetric key)
    68  * `RS384` - RSA with SHA384 hash (asymmetric key)
    69  * `RS512` - RSA with SHA512 hash (asymmetric key)
    70  
    71  Settings structure has the following format:
    72  
    73  ```json
    74  [
    75      {"alg": "<alg1>", "key": "<key1>"},
    76      {"alg": "<alg2>", "key": "<key2>"},
    77      ...
    78  ]
    79  ```
    80  
    81  List of signing methods allows signing method and keys rotation w/out immediate invalidation of the old one, so the
    82  tokens signed with old and new methods will be valid.
    83  
    84  For backward compatibility the following settings format is also valid: `{"secret": "<key>"}` that is equal to the
    85  new format `[{"alg": "HS256", "key", "<key>"}]`.