JWT Plugin: new token type within EG credential management and token service management about express-gateway.io HOT 2 CLOSED

EPIC:

• for planning poker purposes - please assign a point size
• this is needs to be broken down into engineering user stories - please prefix with JWT Plugin:

Background Info

• per our plugin naming convention, this will be the first iteration of jwt plugin - express-gateway-plugin-jwt
• JWT RFC - https://tools.ietf.org/html/rfc7519
• this is an auth mechanism to EG, to keep consistent with the ecosystem and the interfaces already adopted, we should use Passport based middleware (i.e. passport-jwt
• library for generating JWT - jsonwebtoken
• Passport JWT overview - https://blog.jscrambler.com/implementing-jwt-using-passport/
• super helpful debugger - https://jwt.io

New JWT Policy and Plugin Registration

The plugin will introduce a new auth policy - JWT.

• plugin is registered under system.config.yml in the plugins: section
• system wide parameters are specified underneath its entry
  • querystring param that contain JWT - jwt = default
  • claim used containing the JWT key, iss = default
  • registered claims that can be verified
    • iss- in the case of EG being the provider, the parameter specified above is used to identify the key
    • sub - TBD, should understand the use case for this claim further
    • aud - TBD, however, if sub is used, then aud must also be verified
    • exp - EG can verify this claim
    • nbf - EG can verify this claim
    • jti - an extra layer of security to prevent replay, probably not necessary for 1st iteration of JWT
• a JWT policy can be declared in the gateway.config.yml in the policies: section which will allow the JWT policy to be used within a pipeline

New Credential Type

The plugin will extend EG credential management by introducing a new credential type known as JWT - (i.e. jwt, just like basic, oauth2 etc)

JWT Credential Type

The new JWT credential type will need to contain the following:

• keyId - auto generated (please refer to how key-auth works in EG for more info on how keys are generated in pairs - id and secret)
• verification algorithm: HS256, RS256, or ES256
• rsa_public key: for RS256/ES256
• keySecret: auto generated (note: if the algo is H256/ES256)

Admin API and CLI extensions

• you need to be create a jwt credential type via CLI
• parameters:
  • which algo to use (see above)
  • RSA public key, supported options below
    • string key itself
    • path to PEM file (used for RS256 / ES256)
    • bonus: openssl extraction of pub key directly from X.509 cert
• you need to be able to delete a jwt credential

Issues/Blockers

• JWTs can be multiple and nested, what to do? start simple with single for our own reference implementation
• 1 JWT type credential per consumer? or is this something more like key-auth?
• how to type in EG scopes into the JWT payload
• the token and credential services in EG must be extended via the plugin - this was planned for iteration 2 of the plugin framework development plan

from express-gateway.io.

This issue was moved to ExpressGateway/express-gateway#419

from express-gateway.io.