Express Gateway Release 1.5.0 with JWT support

Posted by Al Tsang on December 20, 2017 in announcements and technology

You asked - we listened. That’s what open source projects should be all about. In the latest release of Express Gateway 1.5.0, we’ve included support for JSON Web Tokens (JWT). Let’s go!

What is a JSON Web Token?

A JSON Web Token (JWT) was the most requested feature from the Express Gateway community on Feathub.

Described as “an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.” This info can be verified and you can trust it because it is signed digitally.

How do JWTs get signed digitally?

JWTs are signed using a secret key pair (with the HMAC algorithm) or you can also use a public/private key pair using RSA, a public-key cryptosystem that is widely used for secure data transmission.

A sneek peek at the JWT policy in Express Gateway

The JWT policy can verify requests containing HS256 or RS256 signed JSON Web Tokens (as specified in RFC 7519)

Important: Each of your Consumers will have JWT credentials (public and secret keys) which must be used to sign their JWTs.

Then a token can be passed through the Authorization header or in the request’s URI or even in the body and the Gateway. This policy will either proxy the request to your upstream services if the token’s signature is verified, or discard the request if not.

Additionally, Express Gateway can also verify on some of the registered claims of RFC 7519 (exp and nbf).

Get Started with the JWT Policy in Express Gateway

In order to use the JWT policy, consumers must have a jwt credential associated with them. In order to create consumers (user and apps): use the CLI and create user or create app command.

Then, to create a jwt credential for an user or app: use the CLI and create credentials

Use command with type jwt. You can also use the Admin API to do the same thing

Next, enable the JWT policy: add jwt in gateway.config.yml in the policies section.

policies:
  - jwt

Quick Example

http:
  port: 8790
serviceEndpoints:
  example: # will be referenced in proxy policy
    url: 'http://example.com'
apiEndpoints:
  api:
    path: '/*'
pipelines:
  example-pipeline:
    apiEndpoints:   # process all request matching "api" apiEndpoint
      - api
    policies:
      - jwt:
        - action:
            secretOrPublicKeyFile: '/app/key.pem'
      - proxy:
        - action:
            serviceEndpoint: example # reference to serviceEndpoints Section

Express Gateway supports several ways to locate your JSON Web Token in your request.

Check out more documentation right over here.

D is for Demo

We’ve recorded a special demo to help you get started with the JWT support in Express Gateway. Presented by Vincenzo Chianese, Engineer at LunchBadger and maintainer of Express Gateway.

Check it out!

Moving On

What’s up next? So kind of you to ask! Check out the rest of the project milestones

We would love your support in making it happen and if you’re interested in becoming a maintainer or contributor, now’s the time!

Hit up Gitter and join the rest of the developer community.

Not quite ready? That’s ok!

Upvote features on Feathub. Then, we roll up the most popular or interesting features (Docker images) will then make it over to the Express Gateway roadmap.
Join the Express Gateway Newsletter update list
Follow along on Twitter

More Resources

Join the community on our Gitter channel
Learn more about upcoming features and releases by checking out the Express Gateway Roadmap