Skip to content

Instantly share code, notes, and snippets.

@sedkis

sedkis/readme.md

Last active June 18, 2024 20:30
Show Gist options
  • Save sedkis/e3996b1efde65a3eea5407302901a575 to your computer and use it in GitHub Desktop.
Save sedkis/e3996b1efde65a3eea5407302901a575 to your computer and use it in GitHub Desktop.
Download ZIP
Custom PS256 JWT Auth Tyk
Raw
readme.md

Summary

A custom Docker image has been prepared that extends the official Tyk Gateway v5.3.0, and packages a compiled .so binary

The tag is sedkis/tyk-gateway-jwt-custom-auth:v5.3.0-0.1

https://hub.docker.com/repository/docker/sedkis/tyk-gateway-jwt-custom-auth/general

The custom auth plugin can be seen and compiled here

API Definition

  1. Load the provided OAS API (test-api-2.oas) into Tyk v5.3.0+ using "Import API" -> "Tyk API"
  2. paste the OAS in the code block and press "Import API"

This API contains a hard-coded public key in the "Config Data". Feel free to use it

The custom plugin has access to config data, allowing you to store different public keys across environments.

Testing

Test by sending an API request to the Gateway using a PS256 signed JWT

$ curl http://localhost:8080/test-api-2/get -H "Authorization: eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk2IiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.ijr9LodgvjLIGLokktS78AyLZ7JqKfe3Pt0hadDm_UZl78Fq0Z7zvClogpAUk61Q2GS8I1WTdNtyIsNMKLF-rBfILgz9o6tAtdWu4y6RTsblBRnzYQ2YFVoE8zBcxsdm2W0BVY_MQFXodlfH9ECTIbfGrSuBlt-vE32GhVMcqkrPJeuuDkbOz3ZmZ7BLBx5IFFlT8tiePbR8O3uh3K-kT_NruLRKisABAOa9xOPEqU_Nhruz9oVNXTcHieaiJIOJM00Y7QyEP7Q7ubnhnhnIEk0cFi0GDAcxPOnBxYlXHFcOKCyK3FlzzVkKMBf1zWnnT82ijDvBufvgTgyXRSoDtg"

<200 JSON response from httpbin

Benchmark

Test against native JWT, using RS256 Key

hey -z 30s -H "Authorization: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk3IiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.r9rODDGN2F_U9MKh6YVEeOqkcM30pR4p_Q5DFs6V3yStEHGhooZGuIx8TwOekS89cakhy8cS5TrmS0aUA5lIt-o5hoLY4qXmRC4XZhEFUXn8EcZ7VwMiwI4_XWhVx3f0kgHloUF-45hkBuldsJKUAFbgwwpLQNtlRCShN-s2SpAt7t_Da0q1aaJAbJbQ4sQ7bcHWUb_jSCzN6YCdimYallvo960qL8j2_LULUOp0BSSnvplDE_LNMdZaPmXItTBSbX44Eub_1VoFc8SwdCSTvab5JHSgDgGvbB_uzUNLX5jIMVZVLjMYqB3pzPfS10GPXK-DS7ijXxOy5UolANL8uQ" http://localhost:8080/test-api-basic/get

Summary:
  Total:	31.1408 secs
  Slowest:	2.4861 secs
  Fastest:	0.1033 secs
  Average:	0.2787 secs
  Requests/sec:	174.2410

  Total data:	4371247 bytes
  Size/request:	805 bytes

Response time histogram:
  0.103 [1]	|
  0.342 [4036]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.580 [758]	|■■■■■■■■
  0.818 [314]	|■■■
  1.056 [131]	|■
  1.295 [126]	|■
  1.533 [25]	|
  1.771 [18]	|
  2.010 [12]	|
  2.248 [1]	|
  2.486 [4]	|


Latency distribution:
  10% in 0.1096 secs
  25% in 0.1145 secs
  50% in 0.1403 secs
  75% in 0.3518 secs
  90% in 0.6277 secs
  95% in 0.9054 secs
  99% in 1.3269 secs

Details (average, fastest, slowest):
  DNS+dialup:	0.0001 secs, 0.1033 secs, 2.4861 secs
  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0037 secs
  req write:	0.0000 secs, 0.0000 secs, 0.0023 secs
  resp wait:	0.2786 secs, 0.1033 secs, 2.4859 secs
  resp read:	0.0001 secs, 0.0000 secs, 0.0085 secs

Status code distribution:
  [200]	5415 responses
  [502]	11 responses

Test against custom RSA PSS Auth plugin in Tyk:

Using JWT signed with PS256 WITH verbose logging: (v5.3.0-0.1)

hey -z 30s -H "Authorization: eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk4IiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.bC2UwmJ_Se_scxE4gtQ99RWUvwnNaQ_UP9bQ3v6ixRb32rrUYnihrYpW8gxJVDn6uIAvPEFseuKcXhi5jKGnmuFSVg1N7sCuMIOc6wFfSldcVX0PpeBoPne4fUZfPTaqCqrNDI6k3SN3O7kqXr9iXzb1HeJMZnR1T5Iq0TfRR4E7XHNpthYri_tjGTzNnbVhru7alJ3pIteC0wTaWAFFeLYY1nMQ-yJETZzyfMBwjaaxx6lA2uJ6b4d08_Mt_rQQrvrkKn1jcA-20ro0WU5QVcKsTELaJY-1hI8JccENjRgyxilQUprZ55SJkB4-r-0tfeqbIQziUi7Yo-hSFtca4Q" http://localhost:8080/test-api-2/get

Summary:
  Total:	31.0966 secs
  Slowest:	2.9826 secs
  Fastest:	0.1051 secs
  Average:	0.2862 secs
  Requests/sec:	170.0508

  Total data:	4455130 bytes
  Size/request:	842 bytes

Response time histogram:
  0.105 [1]	|
  0.393 [4111]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.681 [773]	|■■■■■■■■
  0.968 [180]	|■■
  1.256 [132]	|■
  1.544 [46]	|
  1.832 [22]	|
  2.119 [13]	|
  2.407 [5]	|
  2.695 [1]	|
  2.983 [4]	|


Latency distribution:
  10% in 0.1132 secs
  25% in 0.1204 secs
  50% in 0.1545 secs
  75% in 0.3426 secs
  90% in 0.6114 secs
  95% in 0.8985 secs
  99% in 1.4170 secs

Details (average, fastest, slowest):
  DNS+dialup:	0.0001 secs, 0.1051 secs, 2.9826 secs
  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0052 secs
  req write:	0.0000 secs, 0.0000 secs, 0.0028 secs
  resp wait:	0.2860 secs, 0.1049 secs, 2.9825 secs
  resp read:	0.0001 secs, 0.0000 secs, 0.0050 secs

Status code distribution:
  [200]	5277 responses
  [502]	11 responses

Without Logging (v5.3.0-0.2)

hey -z 30s -H "Authorization: eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk4IiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.bC2UwmJ_Se_scxE4gtQ99RWUvwnNaQ_UP9bQ3v6ixRb32rrUYnihrYpW8gxJVDn6uIAvPEFseuKcXhi5jKGnmuFSVg1N7sCuMIOc6wFfSldcVX0PpeBoPne4fUZfPTaqCqrNDI6k3SN3O7kqXr9iXzb1HeJMZnR1T5Iq0TfRR4E7XHNpthYri_tjGTzNnbVhru7alJ3pIteC0wTaWAFFeLYY1nMQ-yJETZzyfMBwjaaxx6lA2uJ6b4d08_Mt_rQQrvrkKn1jcA-20ro0WU5QVcKsTELaJY-1hI8JccENjRgyxilQUprZ55SJkB4-r-0tfeqbIQziUi7Yo-hSFtca4Q" http://localhost:8080/test-api-2/get

Summary:
  Total:	31.8832 secs
  Slowest:	3.3770 secs
  Fastest:	0.1043 secs
  Average:	0.2859 secs
  Requests/sec:	166.0434

  Total data:	4460916 bytes
  Size/request:	842 bytes

Response time histogram:
  0.104 [1]	|
  0.432 [4204]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.759 [764]	|■■■■■■■
  1.086 [156]	|■
  1.413 [115]	|■
  1.741 [27]	|
  2.068 [16]	|
  2.395 [6]	|
  2.722 [3]	|
  3.050 [1]	|
  3.377 [1]	|


Latency distribution:
  10% in 0.1112 secs
  25% in 0.1168 secs
  50% in 0.1492 secs
  75% in 0.3648 secs
  90% in 0.6358 secs
  95% in 0.8872 secs
  99% in 1.4350 secs

Details (average, fastest, slowest):
  DNS+dialup:	0.0000 secs, 0.1043 secs, 3.3770 secs
  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0020 secs
  req write:	0.0000 secs, 0.0000 secs, 0.0026 secs
  resp wait:	0.2858 secs, 0.1042 secs, 3.3769 secs
  resp read:	0.0001 secs, 0.0000 secs, 0.0064 secs

Status code distribution:
  [200]	5284 responses
  [502]	10 responses
Raw
test-api-2.oas
{
"info": {
"title": "test-api",
"version": "1.0.0"
},
"openapi": "3.0.3",
"servers": [
{
"url": "http://localhost:8080/test-api-2/"
}
],
"security": [],
"paths": {},
"components": {
"securitySchemes": {}
},
"x-tyk-api-gateway": {
"info": {
"dbId": "6671e14fc276ed0001da18e1",
"id": "36e56c92cf2d433f652942f669e4ade1",
"orgId": "66688355b12bf200018c98eb",
"name": "test-api-2",
"state": {
"active": true,
"internal": false
}
},
"middleware": {
"global": {
"pluginConfig": {
"data": {
"enabled": true,
"value": {
"env-config-example": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo\n4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u\n+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh\nkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ\n0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg\ncKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc\nmwIDAQAB\n-----END PUBLIC KEY-----"
}
},
"driver": "goplugin"
}
}
},
"server": {
"authentication": {
"enabled": true,
"custom": {
"config": {
"enabled": true,
"functionName": "JWTValidate",
"path": "/opt/tyk-gateway/custom_plugins/CustomGoPlugin.so",
"rawBodyOnly": true
},
"enabled": true,
"header": {
"enabled": false,
"name": "Authorization"
}
}
},
"listenPath": {
"strip": true,
"value": "/test-api-2/"
}
},
"upstream": {
"url": "http://httpbin.org/"
}
}
}
Raw
test-api-basic.oas
{
"info": {
"title": "test-api-basic",
"version": "1.0.0"
},
"openapi": "3.0.3",
"servers": [
{
"url": "http://localhost:8080/test-api-basic/"
}
],
"security": [
{
"jwtAuth": []
}
],
"paths": {},
"components": {
"securitySchemes": {
"jwtAuth": {
"type": "http",
"scheme": "bearer",
"bearerFormat": "JWT"
}
}
},
"x-tyk-api-gateway": {
"info": {
"dbId": "6671e79f4a48fd000127f188",
"id": "69abbf2e810a406947b8599a27b95b62",
"orgId": "6671b5202f321a0001ccf357",
"name": "test-api-basic",
"state": {
"active": true,
"internal": false
}
},
"server": {
"authentication": {
"enabled": true,
"securitySchemes": {
"jwtAuth": {
"header": {
"enabled": true,
"name": "Authorization"
},
"identityBaseField": "sub",
"policyFieldName": "pol",
"enabled": true,
"defaultPolicies": [
"6671b5202f321a0001ccf35a"
],
"signingMethod": "rsa",
"source": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1MVNVMUxmVkxQSENvek14SDJNbwo0bGdPRWVQek5tMHRSZ2VMZXpWNmZmQXQwZ3VuVlRMdzdvbkxSbnJxMC9Jelc3eVdSN1Frcm1CTDdqVEtFbjV1CitxS2hid0tmQnN0SXMrYk1ZMlprcDE4Z25UeEtMeG9TMnRGY3pHa1BMUGdpenNrdWVtTWdoUm5pV2FvTGN5ZWgKa2QzcXFHRWx2Vy9WREw1QWFXVGcwbkxWa2pSbzl6KzQwUlF6dVZhRThBa0FGbXhaem93M3grVkpZS2RqeWtrSgowaVQ5d0NTMERSVFh1MjY5VjI2NFZmLzNqdnJlZFppS1JrZ3dsTDl4TkF3eFhGZzB4L1hGdzAwNVVXVlJJa2RnCmNLV1RqcEJQMmRQd1ZaNFdXQys5YUdWZCtHeW4xbzBDTGVsZjRyRWpHb1hiQUFFZ0FxZUdVeHJjSWxialhmYmMKbXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t"
}
}
},
"listenPath": {
"strip": true,
"value": "/test-api-basic/"
}
},
"upstream": {
"url": "http://httpbin.org/"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment