github.com/hellofresh/janus@v0.0.0-20230925145208-ce8de8183c67/docs/quick_start/add_auth.md (about) 1 # Add Authentication 2 3 When configuring your API you can choose between different authentication methods, these are: 4 5 * Basic/Digest Authentication 6 * OAuth 2.0 7 * JWT 8 9 We tried to design Janus in a way that the authentication provider are simple to setup 10 and completely decoupled from the gateway. 11 12 Let's add an OAuth2 authentication to our endpoint. 13 14 ## 1. Configure OAuth2 15 16 First of all let's configure our oAuth2 provider. This could be any OAuth2 provider: Google, Facebook, etc... 17 Let's bring a container up with a mocked OAuth2 server: 18 19 ```sh 20 cd examples/front-proxy-auth 21 docker-compose up -d auth-service 22 ``` 23 24 Lets create a file with the oAuth2 configuration called `auth.json`: 25 26 ```json 27 { 28 "name" : "local", 29 "oauth_endpoints" : { 30 "token" : { 31 "listen_path" : "/auth/token", 32 "upstreams" : { 33 "balancing": "roundrobin", 34 "targets": [ 35 {"target": "http://auth-service1:8080/token"}, 36 {"target": "http://auth-service2:8080/token"}, 37 ] 38 }, 39 "strip_path" : true, 40 "append_path" : false, 41 "methods" : ["POST"] 42 } 43 }, 44 "token_strategy" : { 45 "name" : "jwt", 46 "settings" : [ 47 {"alg": "HS256", "key" : "secret"} 48 ] 49 } 50 } 51 ``` 52 53 So, what we've done here? 54 55 1. The first thing is to give a `name` for the oAuth2 server. 56 2. Within `oauth_endpoints` we setup only one endpoint for this example, which is the `token`. If you look closely you will see that the `oauth_endpoints.token` is just a proxy configuration, exactly the same that we used to configure our first endpoint. 57 3. We've defined a `token_strategy`. Here you can choose between `jwt` or `storage`, storage means that Janus will be in charge of storing and managing (expiring, refreshing, etc) the tokens once they are returned from your oauth provider. JWT means that Janus will only check for expiration and secret of the tokens, but it wont store them. 58 This allows Janus to not go on the auth service on every single request to check the validity of the token. 59 60 If you want to check all available configurations for OAuth2 please visit [this](/docs/auth/oauth.md). 61 62 Now lets add this configuration to Janus: 63 64 {% codetabs name="HTTPie", type="bash" -%} 65 http -v POST localhost:8081/oauth/servers "Authorization:Bearer yourToken" "Content-Type: application/json" < auth.json 66 {%- language name="CURL", type="bash" -%} 67 curl -X "POST" localhost:8081/oauth/servers -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d @auth.json 68 {%- endcodetabs %} 69 70 ## 2. Add a plugin for your endpoint 71 72 Now that we have an oauth2 available to use, lets add it to our endpoint, just create a file called `auth_plugin.json`: 73 74 ```json 75 { 76 "plugins": [ 77 { 78 "name": "oauth2", 79 "enabled": true, 80 "config": { 81 "server_name": "local" 82 } 83 } 84 ] 85 } 86 ``` 87 88 {% codetabs name="HTTPie", type="bash" -%} 89 http -v PUT localhost:8081/apis/my-endpoint "Authorization:Bearer yourToken" "Content-Type: application/json" < auth_plugin.json 90 {%- language name="CURL", type="bash" -%} 91 curl -X "PUT" localhost:8081/apis/my-endpoint -H "Authorization:Bearer yourToken" -H "Content-Type: application/json" -d @auth_plugin.json 92 {%- endcodetabs %} 93 94 95 ## Testing the endpoint 96 97 If we make a request to our endpoint, it should fail: 98 99 ```bash 100 http -v GET http://localhost:8080/example 101 102 HTTP/1.1 400 Bad Request 103 Content-Length: 30 104 Content-Type: application/json 105 Date: Mon, 03 Jul 2017 10:33:17 GMT 106 107 "authorization field missing" 108 ``` 109 110 Adding an Authorization field with a wrong token, gives us this: 111 112 ```bash 113 http -v GET http://localhost:8080/example "Authorization:Bearer wrongToken" 114 115 HTTP/1.1 401 Unauthorized 116 Content-Length: 30 117 Content-Type: application/json 118 Date: Mon, 03 Jul 2017 10:33:31 GMT 119 120 "access token not authorized" 121 ``` 122 123 So, lets get a valid token: 124 ```bash 125 http -v POST http://localhost:8080/auth/token 126 127 HTTP/1.1 200 OK 128 Content-Length: 188 129 Content-Type: application/json 130 Date: Mon, 03 Jul 2017 10:47:09 GMT 131 Server: Jetty(9.2.z-SNAPSHOT) 132 Vary: Origin 133 134 { 135 "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbnVzIn0.PvBI5yIdPVtR8RVJWWZEEEVv9Bk83Q_rS7vYcKNX1wM", 136 "expires_in": 21600, 137 "token_type": "Bearer" 138 } 139 ``` 140 141 Now if we request with the right token you should be able to go through. 142 143 ```bash 144 http -v GET http://localhost:8080/example "Authorization:Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbnVzIn0.PvBI5yIdPVtR8RVJWWZEEEVv9Bk83Q_rS7vYcKNX1wM" 145 146 HTTP/1.1 200 OK 147 Content-Encoding: gzip 148 Content-Length: 46 149 Content-Type: application/json 150 Date: Mon, 03 Jul 2017 12:44:07 GMT 151 Server: Jetty(9.2.z-SNAPSHOT) 152 Vary: Accept-Encoding, User-Agent 153 154 { 155 "message": "Hello World!" 156 } 157 ``` 158 159 Of course in a real world scenario your auth service would have to check for a client ID and Secret, set an expiration on the token, etc... 160