# Kong Upstream JWT

services:
- name: MY_REST_API
  tags: [ _NS_ ]
  plugins:
    - enabled: true
      name: kong-upstream-jwt
      tags: [ _NS_ ]
      config:
        header: GW-JWT
        include_credential_type: false

config:
  header: Authorization
  include_credential_type: true

const express = require("express");
const app = express();
const port = 3300;

const { auth } = require("express-oauth2-jwt-bearer");
app.use(auth());

app.get("/", (req, res) => {
  res.send("Hello World!");
});

app.listen(port, () => {
  console.log(`Listening on port ${port}`);
});

ISSUER_BASE_URL=https://aps-jwks-upstream-jwt-api-gov-bc-ca.test.api.gov.bc.ca \
AUDIENCE=<SERVICE-NAME> \
node server.js

config:
  header: gw-jwt
  include_credential_type: false

import os
import jwt
from jwt import PyJWKClient
from fastapi import FastAPI, Request, Depends, HTTPException

app = FastAPI()

def gateway_auth(request: Request) -> dict:
    try:
        encoded_token = request.headers['gw-jwt']
        jwks_client = PyJWKClient(os.environ.get('JWKS_URI'))
        signing_key = jwks_client.get_signing_key_from_jwt(encoded_token)
        return jwt.decode(encoded_token, signing_key.key,
          algorithms=["RS256"],
          audience=os.environ.get('AUDIENCE').split(","))
    except Exception as ex:
        raise HTTPException(
          status_code=401,
          detail=str(ex),
          headers={"WWW-Authenticate": "X-Gateway"})

@app.get("/")
def read_root( gateway: dict = Depends(gateway_auth)):
    return {"Hello": "World"}

JWKS_URI=https://aps-jwks-upstream-jwt-api-gov-bc-ca.test.api.gov.bc.ca/certs \
AUDIENCE=<SERVICE-NAME> \
uvicorn server:app --reload