Authentication and authorization

The Serverless Gateway is built on Kong, which you can configure as you would any other Kong instance (see kong.md).

A list of Kong authentication plugins can be found in the Kong Hub, and includes basic auth, JWT, mTLS, and OAuth.

We provide extra CLI support for configuring JWT authorization on your routes, as discussed below.

JWT

Create a route

To set up JWT on your routes, we use the Kong JWT plugin. We can use the CLI to create a route with JWT and a relative URL /app:

scwgw route add /app https://www.scaleway.com --jwt

Calling it is unauthorized without a token:

ENDPOINT=https://$(scwgw infra endpoint)
curl ${ENDPOINT}/app

gives output:

{"message":"Unauthorized"}

Create a consumer with credentials

Access to JWT-protected routes is associated to a Consumer, which represents a user or application. This consumer holds the public and private keys used to generate and sign tokens.

We can add a consumer called my-app with:

scwgw consumer add my-app

Then we can generate JWT credentials for this consumer with:

scwgw jwt add my-app

Which gives an output like:

ALGORITHM     SECRET                                 ISS
HS256         o2eQQg2xF5FITEz17VatRlqrZzQMpMZg       YyXIAIlmFf1Fa4sLg2wJGBwH5ESsovBy

With the secret generated in this request, users can sign requests to access the API.

NOTE that you must provide the ISS value in an iss field in all encoded tokens.

You can get all JWT credentials for a given consumer with:

scwgw jwt ls my-app

Signing a request

Using credentials to sign requests is the responsibility of the client making the request. However, we can demonstrate an example here using PyJWT.

Taking the secret generated above, we can create an encoded request as follows:

import jwt

# "Secret" value for the credentials
SECRET = "o2eQQg2xF5FITEz17VatRlqrZzQMpMZg"

encoded = jwt.encode(
  {
    "some": "payload",
    "iss": "YyXIAIlmFf1Fa4sLg2wJGBwH5ESsovBy" # ISS value for the credentials
  },
  SECRET,
  algorithm="HS256"
)

print(encoded)

This prints an encoded JWT, which looks something like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCIsImlzcyI6Ill5WElBSWxtRmYxRmE0c0xnMndKR0J3SDVFU3NvdkJ5In0.lkxltveJ2ZQjrdQ7D41UWknNgKCAEfeaqO-8K3z2jHk

This can then be passed as a header to our endpoint:

curl ${ENDPOINT}/app \
    -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCIsImlzcyI6Ill5WElBSWxtRmYxRmE0c0xnMndKR0J3SDVFU3NvdkJ5In0.lkxltveJ2ZQjrdQ7D41UWknNgKCAEfeaqO-8K3z2jHk'

and we see that our request goes through to the upstream.