ct-keycloak-iam VS frank_jwt

For this exercise, we will use a custom Keycloak server from https://github.com/czetsuyatech/ct-keycloak-iam. This project downloads a specific version of the Keycloak server and builds customizations such as theme, provider, realm, and more.

The created token can be decoded through JWT.IO.

Next, we create a consumer (a new speaker) with the username jack in Apache APISIX. It sets up the jwt-auth plugin for the consumer with the specified key and secret. This will allow the consumer to authenticate using a JSON Web Token (JWT).

Right! So I shouldn't be concerned at jwt.io being able to decode it. Thanks.

What I don't fully understand yet is why or how that JWT is freely decodable. If I paste it into the linter at jwt.io, it shows all its details. Now, clearly this is by design, but I'm just trying to understand why and what the implications of this are.

Option Explicit Option Base 0 Sub GenerateJWT() ' test against debugger at: https://jwt.io/ Dim header As String, data As String, secret As String Dim encodedHeader As String, encodedData As String Dim jwt_signing_string As String Dim signature() As Byte, sigText As String secret = "your-256-bit-secret" header = "{""alg"":""HS256"",""typ"":""JWT""}" data = "{""sub"":""1234567890"",""name"":""John Doe"",""iat"":1516239022}" encodedHeader = CleanEncoding(EncodeBase64(header)) encodedData = CleanEncoding(EncodeBase64(data)) ' Debug.Print encodedHeader ' OK = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ' Debug.Print encodedData ' OK = eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ ' sigText should be: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Debug.Print ' this works jwt_signing_string = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ" signature = ComputeHMACSHA256(jwt_signing_string, secret) ' secret not base64 encoded sigText = CleanEncoding(BytesEncodeBase64(signature)) Debug.Print "Works --------------------------" Debug.Print jwt_signing_string Debug.Print LenB(jwt_signing_string) Debug.Print sigText ' OK ' this fails jwt_signing_string = encodedHeader & "." & encodedData signature = ComputeHMACSHA256(jwt_signing_string, secret) ' secret not base64 encoded sigText = CleanEncoding(BytesEncodeBase64(signature)) Debug.Print "Fails --------------------------" Debug.Print jwt_signing_string Debug.Print LenB(jwt_signing_string) Debug.Print sigText ' this works jwt_signing_string = encodedHeader & "." & encodedData jwt_signing_string = Replace(jwt_signing_string, Chr(10), "") signature = ComputeHMACSHA256(jwt_signing_string, secret) ' secret not base64 encoded sigText = CleanEncoding(BytesEncodeBase64(signature)) Debug.Print "Works --------------------------" Debug.Print jwt_signing_string Debug.Print LenB(jwt_signing_string) Debug.Print sigText End Sub Function ComputeHMACSHA256(ByVal text As String, ByVal key As String) As Byte() Dim crypto As Object Dim hash() As Byte, bText() As Byte, bKey() As Byte ' encode strings bText = StrConv(text, vbFromUnicode) bKey = StrConv(key, vbFromUnicode) ' compute HMACSHA256 Set crypto = CreateObject("System.Security.Cryptography.HMACSHA256") crypto.key = bKey hash = crypto.ComputeHash_2(bText) ComputeHMACSHA256 = hash Set crypto = Nothing End Function Function CleanEncoding(ByVal str As String) As String Dim cleaned As String cleaned = str cleaned = Replace(cleaned, "+", "-") cleaned = Replace(cleaned, "/", "_") cleaned = Replace(cleaned, "=", "") CleanEncoding = cleaned End Function Function EncodeBase64(ByVal str As String) As String Dim arr() As Byte arr = StrConv(str, vbFromUnicode) Dim objXML As Object Set objXML = CreateObject("MSXML2.DOMDocument") ' Microsoft XML, v3.0 Dim objNode As MSXML2.IXMLDOMElement Set objNode = objXML.createElement("b64") objNode.DataType = "bin.base64" objNode.nodeTypedValue = arr EncodeBase64 = objNode.text Set objNode = Nothing Set objXML = Nothing End Function Private Function BytesEncodeBase64(ByRef arrData() As Byte) As String Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument ' byte array to base64 Set objNode = objXML.createElement("b64") objNode.DataType = "bin.base64" objNode.nodeTypedValue = arrData BytesEncodeBase64 = objNode.text Set objNode = Nothing Set objXML = Nothing End Function

here is tip : use jwt.io to make sure the claims you want are in your token (and what are the keys)

Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.

By leveraging the existing built-in plugins of Apache APISIX, developers also can create dynamic routing rules that are based on various user credentials such as access tokens, API keys, or user IDs. In this article, we'll explore the benefits of adopting dynamic routing based on authentication attributes with Apache APISIX and show you an example configuration of how to dynamically route client requests to the responsible backend services based on the JWT token's claim.

You can copy the access token or ID token value from the response and read the contents using a JWT debugger.