Krakend Community Edition - Generate a JWT token

Question

I'm currently testing krakend community edition (playground) and I need to generate a JWT token, just before sending a request to the backend. The JWT must be added as a Bearer token to the Authorization header.

The program that calls the endpoint must not be aware of the required JWT token.

How can I do this? I've tried it with the extra_config auth/signer and with lua scripts but I can't get it to work

This is my krakend.json endpoint

{
      "@comment": "Test all the open zaken based on bsn",
      "endpoint": "/debug/{bsn}/zaken",
      "method": "GET",
      "backend": [
        {
          "url_pattern": "/__debug/zaken/api/v1/zaken",
          "method": "GET",
          "host": ["http://localhost:8080"],
          "extra_config": {
            "auth/signer": {
              "alg": "HS256",
              "signature-key": "<the secret>",
              "disable_jwk_security": false,
              "header": {
                "typ": "JWT",
                "alg": "HS256"
              },
              "payload": {
                "iss": "<the client_id>",
                "iat": "{{time.now}}",
                "client_id": "<the client_id>",
                "user_id": "<user id>",
                "user_representation": "<user representation>"
              }
            },
            "modifier/martian": {
              "fifo.Group": {
                "scope": ["request"],
                "aggregateErrors": true,
                "modifiers": [
                  { "header.Append": { "scope": ["request"], "name": "Accept-Crs", "value": "EPSG:4326" }},
                  { "header.Append": { "scope": ["request"], "name": "Content-Crs", "value": "EPSG:4326" }}
                ]
              }
            }
          }
        }
      ]
    }

The debug logging shows the following:

▶ DEBUG [ENDPOINT: /__debug/*] Method: GET
▶ DEBUG [ENDPOINT: /__debug/*] URL: /__debug/zaken/api/v1/zaken
▶ DEBUG [ENDPOINT: /__debug/*] Params: [{param /zaken/api/v1/zaken}]
▶ DEBUG [ENDPOINT: /__debug/*] Headers: map[Accept-Crs:[EPSG:4326] Accept-Encoding:[gzip] Content-Crs:[EPSG:4326] User-Agent:[KrakenD Version 2.9.1] X-B3-Sampled:[1] X-B3-Spanid:[0ee29d32d672bbc9] X-B3-Traceid:[c9a2c8c6ee8c92fa1bb2137e30772ad1] X-Forwarded-For:[172.18.0.1] X-Forwarded-Host:[localhost:8080]]
▶ DEBUG [ENDPOINT: /__debug/*] Body: 

As you can see there is no Authorization header.

I've also tried it with LUA scripts but because I can't 'require' the library luajwtjitsi I can not generate a token that way (easily) either.

Is there a way to generate a token using krakend (community edition)? If the answer is no: is it possible with the enterprise edition?

Answer 1

According to auth/signer documentation:

The JWT signing component creates a wrapper for your existing login endpoint that signs with your secret key the selected fields of the backend payload right before returning the content to the end-user. The JWT signing component creates a wrapper for your existing login endpoint that signs with your secret key the selected fields of the backend payload right before returning the content to the end-user.

The primary usage for this component is in migrations from monolith to microservices, or in ecosystems where there is no Identity/OAuth server yet, as it allows the immediate adoption of signed JSON Web Tokens without the need to implement a new service.

This means that auth/signer by itself is not intended to generate JWT from scratch, but to be configured on top of a backend that returns user information that can be signed into a JWT.

Your config is far from being correct, as it is specifying arguments that auth/signer does not understand at all

Having said that, there are a couple approaches you may want to consider:

Wrapping a token endpoint

Just following the documentation examples, you can wrap your own login endpoint (if available) to sign the response into a JWT.

By doing that, you'd have a Krakend endpoint that is able to return JWT, but since you're looking for a way to generate a JWT + use it to call a backend in the same request, you should also consider checking the sequential proxy feature: https://www.krakend.io/docs/enterprise/endpoints/sequential-proxy/#content

Using a body generator (enterprise)

If you don't have a legacy login endpoint to wrap around, you can use a Krakend Enterprise modifier to generate a body based on a template. This generator could be configured in an "internal" Krakend endpoint and then wrapped by the auth/signer. Once this is done, it would be a matter of following the same sequential proxy approach described above