Express Gateway Release 1.5.0 with JWT support
You asked - we listened. That’s what open source projects should be all about. In the latest release of Express Gateway 1.5.0, we’ve included support for JSON Web Tokens (JWT). Let’s go!
What is a JSON Web Token?
A JSON Web Token (JWT) was the most requested feature from the Express Gateway community on Feathub.
Described as “an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.” This info can be verified and you can trust it because it is signed digitally.
How do JWTs get signed digitally?
JWTs are signed using a secret key pair (with the HMAC algorithm) or you can also use a public/private key pair using RSA, a public-key cryptosystem that is widely used for secure data transmission.
A sneek peek at the JWT policy in Express Gateway
The JWT policy can verify requests containing HS256 or RS256 signed JSON Web Tokens (as specified in RFC 7519)
Important: Each of your Consumers will have JWT credentials (public and secret keys) which must be used to sign their JWTs.
Then a token can be passed through the Authorization header or in the request’s URI or even in the body and the Gateway. This policy will either proxy the request to your upstream services if the token’s signature is verified, or discard the request if not.
Additionally, Express Gateway can also verify on some of the registered claims of RFC 7519 (exp
and nbf
).
Get Started with the JWT Policy in Express Gateway
In order to use the JWT policy, consumers must have a jwt
credential associated with them. In order to create consumers (user and apps): use the CLI and create user or create app command.
Then, to create a jwt
credential for an user or app: use the CLI and create credentials
Use command with type jwt
. You can also use the Admin API to do the same thing
Next, enable the JWT policy: add jwt
in gateway.config.yml in the policies section.
policies:
- jwt
Quick Example
http:
port: 8790
serviceEndpoints:
example: # will be referenced in proxy policy
url: 'http://example.com'
apiEndpoints:
api:
path: '/*'
pipelines:
example-pipeline:
apiEndpoints: # process all request matching "api" apiEndpoint
- api
policies:
- jwt:
- action:
secretOrPublicKeyFile: '/app/key.pem'
- proxy:
- action:
serviceEndpoint: example # reference to serviceEndpoints Section
Express Gateway supports several ways to locate your JSON Web Token in your request.
Check out more documentation right over here.
D is for Demo
We’ve recorded a special demo to help you get started with the JWT support in Express Gateway. Presented by Vincenzo Chianese, Engineer at LunchBadger and maintainer of Express Gateway.
Moving On
What’s up next? So kind of you to ask! Check out the rest of the project milestones
We would love your support in making it happen and if you’re interested in becoming a maintainer or contributor, now’s the time!
Hit up Gitter and join the rest of the developer community.
Not quite ready? That’s ok!
- Upvote features on Feathub. Then, we roll up the most popular or interesting features (Docker images) will then make it over to the Express Gateway roadmap.
- Join the Express Gateway Newsletter update list
- Follow along on Twitter
More Resources
- Join the community on our Gitter channel
- Learn more about upcoming features and releases by checking out the Express Gateway Roadmap