OAuth2 JWT Authentication

Introduction

OAuth2 JWT authentication is one of the OAuth 2.0 authentication schemes that allows clients to authenticate via JSON Web Token (JWT).

A corresponding page rule action is provided in OpenResty Edge to implement this feature.

This action has the following parameters.

  • Key: Used to specify the type of key, and takes the following values: Discovery, Symmetric Key, Public Key.
    • When Discovery is selected, the discovery URL is requested. e.g. https://accounts.google.com/.well-known/openid-configuration. This is a way to discover OAuth2 configuration information. It allows the client to automatically obtain information needed by the OAuth2 protocol, such as the address of the authorization server, the token endpoint, and the token signing public key, without interacting directly with the authentication server.
    • When the Symmetric Key is selected, the symmetric secret key is requested.
    • When Public Key is selected, the public key is requested.
  • Accept unsupported algorithms: Do not turn this option on if you want to reject tokens signed with unsupported algorithms. If it is turned on, the token signature cannot be verified at all.
  • Token signing algorithm: Used to specify one or more token signature algorithms. The values ​​are: HS256, HS512, RS256, RS512, ES256, ES512, none.

Example

  • We use a symmetric secret key for the demo, so here we choose Symmetric Key as the type.
  • The encryption algorithm is HS256, which is a hashing algorithm for symmetric keys (HMAC using SHA-256).

Send a request without authentication information:

$ curl http://test.com/anything -v
...
< HTTP/1.1 403 Forbidden
...

You can see that a 403 status code is returned, indicating that the authentication information is missing or incorrect and access is forbidden.

Then a request is sent with the wrong authentication information.

$ curl http://test.com/anything -H 'Authorization: Bearer invalid-token' -v
...
< HTTP/1.1 403 Forbidden
...

Again, a 403 status code is returned.

Next, send another request with the correct authentication information.

$ curl http://test.com/anything -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIifQ._ FOTfoCTzKHWcBDYf1rfRkg-g6D_Mg8dnccLR_geCH0' -v
...
< HTTP/1.1 404 Not Found
...

404 was returned instead of 403, indicating that authentication was passed, but the request accessed a non-existent resource (/anything).