Enforcer Test Key Authentication¶
Choreo Connect itself provides the ability to generate a JWT as a test key to access the APIs deployed.
Generating a Test JWT¶
You can obtain a test JWT with the default configuration using a request similar to the following.
curl -X POST "https://<hostname>:<port>/testkey" -H "Authorization: Basic <Base64_Encoded(username:password)>" -k
curl -X POST "https://localhost:9095/testkey" -H "Authorization: Basic YWRtaW46YWRtaW4=" -k
Info
Here the basic authentication header is the base64 encoded username and password. For an example, Base64_Encoded(admin:admin)
. This is required because the test key generation service (/testkey) is protected with basic authentication as explained below.
Configuring Choreo Connect for Test JWT Generation¶
To configure test JWT generation, open <CHOREO-CONNECT_HOME>/resources/conf/config.toml
file in a text editor and configure the parameters as described below.
[enforcer.jwtIssuer]
enabled = true
issuer = "https://localhost:9095/testkey" # https://<host>:<port>/testkey
encoding = "base64" # base64,base64url
claimDialect = ""
signingAlgorithm = "SHA256withRSA"
publicCertificatePath = "/home/wso2/security/truststore/mg.pem"
privateKeyPath = "/home/wso2/security/keystore/mg.key"
validityPeriod = 3600 # seconds
[[enorfcer.jwtIssuer.jwtUser]]
username = "admin"
password = "admin"
[[enforcer.jwtIssuer.jwtUser]]
username = "user"
password = "user123"
To allow users to invoke the test key service endpoint with basic authentication, it is required to define the users under enorfcer.jwtIssuer.jwtUser
providing the username and the password of each user as given above.
Warn
In production environments, disable the /testkey
endpoint and remove the issuer "https://localhost:9095/testkey" from the trusted token services list in the config.toml. Set enabled
to false to disable the endpoint.
To accept these test keys generated from the Enforcer as trusted tokens, the following is added to config.toml by default, giving the same issuer
and the publicCertificatePath
parameter values used when configuring enforcer.jwtIssuer
above.
# Issuer 2
[[security.enforcer.tokenService]]
name="MGW"
issuer = "https://localhost:9095/testkey"
certificateAlias = "mgw"
jwksURL = ""
validateSubscription = false
consumerKeyClaim = ""
certificateFilePath = "/home/wso2/security/truststore/mg.pem"
Refer to Configuring an External Key Manager to learn more.
Top