JWT Authentication

Creating Access Token for API Gateway Authentication

The API gateway default is configured to require authentication prior to passing a request to a backend microservice.

It is necessary to create an API gateway user in order to satisfy the authentication requirement. Gateway users are created using the proxy subcommand of the secrets-config utility.

JWT authentication

JSON Web Token (JWT) authentication is based on a public/private key-pair, where the public key is registered with the API gateway, and the private key keeps secret. This method does not require exposing any secret to the API gateway and allows JWTs to be generated offline.

Before using the JWT authentication method, it is necessary to create a public/private key-pair. This example uses ECDSA keys, but RSA key can be used as well.

openssl ecparam -name prime256v1 -genkey -noout -out ec256.key
openssl ec -in ec256.key -pubout -out ec256.pub

Next, generate and save a unique ID that will be used in any issued JWTs to look up the public key to be used for validation. (Note the backtick to capture the uuidegen output.)

ID=`uuidgen`

Register a user for that key:

edgexpert run -v `pwd`:/host:ro --entrypoint /secrets-config proxy-auth -- proxy adduser \
   --token-type jwt --id "$ID" --algorithm ES256 --public_key /host/ec256.pub \
   --user tester

Lastly, generate a valid JWT. Any JWT library should work, but secrets-config provides a convenient utility:

edgexpert run -v `pwd`:/host:ro --entrypoint /secrets-config proxy-auth -- proxy jwt \
    --id "$ID" --algorithm ES256 --private_key /host/ec256.key

The command will output a long alphanumeric sequence of the format <alphanumeric> '.' <alphanumeric> '.' <alphanumeric>

The access token is used in the Authorization header of the request. To deauthorize or delete the user:

edgexpert run --entrypoint /secrets-config proxy-auth -- proxy deluser \
    --user tester