{"id":16393058,"url":"https://github.com/prosellen/kong-api-demo","last_synced_at":"2026-04-24T20:34:16.601Z","repository":{"id":185564859,"uuid":"673736284","full_name":"prosellen/kong-api-demo","owner":"prosellen","description":"Demo of how to use auth0 (OIDC) with JWTs and Kong API Gateway","archived":false,"fork":false,"pushed_at":"2023-08-24T15:10:51.000Z","size":90,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-19T17:50:45.684Z","etag":null,"topics":["api","auth0","jwt","oidc"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prosellen.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-02T09:58:34.000Z","updated_at":"2023-08-24T15:26:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"7ecff5e1-f76d-4cd1-99b8-841f184a46c8","html_url":"https://github.com/prosellen/kong-api-demo","commit_stats":null,"previous_names":["prosellen/kong-api-demo"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/prosellen/kong-api-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prosellen%2Fkong-api-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prosellen%2Fkong-api-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prosellen%2Fkong-api-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prosellen%2Fkong-api-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prosellen","download_url":"https://codeload.github.com/prosellen/kong-api-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prosellen%2Fkong-api-demo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32239881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","auth0","jwt","oidc"],"created_at":"2024-10-11T04:52:14.660Z","updated_at":"2026-04-24T20:34:16.584Z","avatar_url":"https://github.com/prosellen.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kong API Demo\n\nThis demo shows how to protect an API using [Kong API Gateway](https://docs.konghq.com/gateway/latest/) and [auth0](https://auth0.com/). It requires [Docker](https://www.docker.com/) to run.\n\nIt consists of three components:\n\n- A static frontend written in React\n- A Node.js/Express backend\n- A Kong API Gateway to connect the two\n\nOnce configured, you can start the application using Docker\n\n```bash\ndocker compose up --build\n```\n\nThis will start the three Docker containers. You'll be able to connect to these endpoints:\n\n- [http://localhost:3000/](http://localhost:3000/) - The React frontend application\n- [http://localhost:4000/api/](http://localhost:4000/api/) - The Kong API Gateway\n- [http://localhost:8000/api/](http://localhost:8000/api/) - The actual backend behind the Kong API. In a real-world scenario, you would only allow connections from the API Gateway\n\n### Configuration\n\nYou can use the [Postman Collection](./docs/postman/) to play around with the endpoint.  \nFor example, try [http://localhost:4000/api/](http://localhost:4000/api/) and [http://localhost:4000/api/protected/](http://localhost:4000/api/protected/) to see the difference between protected and unprotected endpoints.\n\nThere are a few steps to configure but the whole process will take less than 10 minutes start to finish. :)\n\n### auth0 configuration\n\nWe use auth0 simply because they provides a free developer account. Since OAuth 2.0 is standardized, this example can easily made to work with most other SSO Providers like Azure AD.\n\n#### Create an auth0 account\n\nIf you haven't done already, go to [https://auth0.com/signup](https://auth0.com/signup) to register an free developer account\n\n1. When asked for \"Account Type\", select \"Other\"\n1. Tick the \"I need advanced settings\" box\n1. When asked for \"Tenant Domain\", pick a new subdomain or use the one generated by auth0. This is your tenant and the domain that the users will be redirected to when they initiate a login.\n1. Select the applicable region (most likely: \"EU\")\n\n#### Create a new application in your auth0 tenant\n\nAfter creating the account and logging in, create a new SPA application\n\n1. Click \"Applications\" on the left hand side to open the Applications view\n1. Click \"Applications\" to view all current applications - you should have at least one: the \"Default App\"\n1. Select \"Create Application\"\n1. Give the app a name (e.g., \"Kong Demo App\")\n1. Select \"Single Page Web Applications\"\n1. In the application settings, find the \"Domain\" and the \"Client ID\"\n1. Rename the file `src/frontend/.env-template` to `src/frontend/.env` and copy the \"Domain\" and the \"Client ID\" to the respective fields:\n\n   ```bash\n   # src/frontend/.env\n   VITE_REACT_APP_AUTH0_DOMAIN=kong-api-demo.eu.auth0.com\n   VITE_REACT_APP_AUTH0_CLIENT_ID=TvSR...MX4z\n   VITE_REACT_APP_AUTH0_CALLBACK_URL=http://localhost:3000/\n   VITE_REACT_APP_AUTH0_AUDIENCE=http://localhost:4000/\n   VITE_BACKEND_API_ORIGIN=http://localhost:4000/\n   ```\n\n1. In the application settings, scroll down to Application URIs and copy the `VITE_REACT_APP_AUTH0_CALLBACK_URL` from the file above into the \"Allowed Callback URLs\", \"Allowed Logout URLs\", and \"Allowed Web Origins\". By default, this will be http://localhost:3000/, but you can change this in the `docker-compose.yml` file.\n\nThis concludes the steps necessary for authentication (login). Read on to configure authorization (roles).\n\n### Configure an API in your auth0 tenant\n\n1. Click \"Applications\" on the left hand side to open the Applications view\n1. Click \"API\" to view all current APIs - you should have at least one: the \"Auth0 Management API\"\n1. Click on \"Create API\"\n1. Give the API a name (e.g., \"Kong Demo API\")\n1. For the \"Identifier\", take the `VITE_REACT_APP_AUTH0_AUDIENCE` from the `src/frontend/.env` created above. The default is http://localhost:4000/. You can pick any value, but you will not be able to change it later.\n1. Click \"Create\" to create the API\n1. In the settings, scroll down to \"RBAC Setting\" and enable \"Enable RBAC\" and \"Add Permissions in the Access token\".\n1. Click on \"Permissions\" and add some permissions\n   1. Under \"Permission\" give a string like \"read\", \"write\", or \"admin\"\n   1. Under \"Description\" select an appropriate name for this permission\n\n### Create Users in your auth0 tenant\n\n1. Click \"User Management\" on the left hand side\n1. Click \"Users\"\n1. Click \"Add users\" and fill out the user information. You can user an \"@example.com\"-Email or any other email that is NOT the one from your auth0 user.\n1. Give the user a name and a password.\n1. Click \"Create\"\n1. In the \"Details\" of the user, click on \"Permissions\"\n1. Click on \"Assign Permissions\"\n1. Select the API created in the previous step. This will bring up a list of all permissions you have created. Select at least one and click \"Add Permissions\"\n\n### Kong Configuration\n\nKong provides a [JWT plugin](https://docs.konghq.com/hub/kong-inc/jwt/) to handle the verification of JWTs. Once configured, only access tokens signed by the authentication server are allowed to access a certain route.\n\nThe plugin needs two pieces of information that are not obvious to configure: a `rsa_public_key` (aka the \"signing certificate\") and a `key` (aka the identifier of the \"signing certificate\"). Both information are provided by the authentication platform in their [JSON Web Key Set](https://www.rfc-editor.org/rfc/rfc7517#section-5). The location of the JWKS depends on the provider and is often published in the `.well-known/openid-configuration` endpoint. In our example (auth0), the location is `https://\u003cTENANT_NAME\u003e.\u003cREGION_ID\u003e.auth0.com/.well-known/jwks.json`.\n\n#### Configuration for auth0\n\nauth0 provides access to both the `key` and the `rsa_public_key` in their dashboard under [\"Settings\" \u003e \"Signing Keys\"]. Under \"List of Valid Keys\", find the \"Currently used\" key. The \"Key ID\" is the value we are going to use as `key`. Click on the three dots on the right and \"Download Signing Certificate\".\n\n#### Convert the signing certificate\n\nThe signing certificate is most likely a \"x509 certificate\" from which we need to extract the public key, first.\n\n\u003e _Hint_: the following example works on Linux and macOS - Windows users might need to install `openssl` separately.\n\n```bash\n# Extract the public keys to a new file\nopenssl x509 -pubkey -noout -in \u003cSIGNING_CERTIFICATE\u003e.pem \u003e pubkey.pem\n```\n\nThen, copy the public key to the Kong configuration.\n\n\u003e **Important**: Make sure the key itself is in one line without any newlines and the indentation is correct. Otherwise, Kong will throw an error.\n\n```yaml\n# src/api_gateway/.docker/kong/declarative/api_gateway.yml\n---\njwt_secrets:\n  - consumer: auth0\n    secret: this-is-a-dummy-value\n    algorithm: RS256\n    key: dqVeGigzuTz-IF0V63ZmB\n    rsa_public_key: |\n      -----BEGIN PUBLIC KEY-----\n      MIIBIj...AQAB\n      -----END PUBLIC KEY-----\n```\n\n## Further reading\n\n- auth0 Quickstarts: https://auth0.com/docs/quickstart/  \n  provide easy-to-follow instructions to set up different authentication scenarios with different frameworks.\n\n### Troubleshooting\n\n#### How to get the `key` and `rsa_public_key` for other plattforms\n\n1. Find the \"Open ID Configuration\" for the provider.  \n   For example, Azure publishes these at https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.\n\n1. Find the \"jwks_uri\" in the \"Open ID Configuration\".  \n   In the example above, that is https://login.microsoftonline.com/common/discovery/v2.0/keys.\n\n1. The response will most likely contain more than one key. Look for the \"Key ID\" or \"KID\" of your application. Find the corresponding entry under \"x5c\". This string is your \"signing certificate\".\n\n1. Either copy the certificate to a file and use `openssl` as described above or copy it to a pem-to-jwk convert (e.g., https://irrte.ch/jwt-js-decode/pem2jwk.html) to extract the public key\n\n1. Use the result as described above\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprosellen%2Fkong-api-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprosellen%2Fkong-api-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprosellen%2Fkong-api-demo/lists"}