jwtchat
A set of three binaries used to demonstrate the OpenZiti GoLang SDK using external JWT signers to athenticate.
Binaries
jwtchat-idp
Stands up an OIDC compliant OpenId Provider (OP) that allows all OIDC flows. This example uses Client Credentials.
It is run without any arguments and host the OPIDC API on localhost:9998
jwtchat-client
Attempts to contact a controller listening on localhost:1280
and an OIDC compliant provider on localhost:9998
.
It is run without any arguments and does not open any ports. It attempts to connection/dial a service named jwtchat
It will attempt to authenticate with the OIDC provider as:
- username:
cid1
- password:
cid1secreat
jwtchat-server
Attempts to contact a controller listening on localhost:1280
and an OIDC compliant provider on localhost:9998
.
It is run without any arguments and does not open any ports. It attempts to host/bind a service named jwtchat
It will attempt to authenticate with the OIDC provider as:
- username:
cid2
- password:
cid2secreat
Setup
Note: For Powershell ensure you escape pound (#) symbols with a grave tick (`)
- Stand up an OpenZiti network
- Add an External JWT Signer with a JWKS endpoint
ziti edge create ext-jwt-signer jwtchat-idp "http://localhost:9998" -a openziti -u "http://localhost:9998/keys"
- Save the resulting
ext-jwt-signer
- Create an authentication policy that allows the new
ext-jwt-signer
to authenticate identities
ziti edge create auth-policy jwtchat --primary-ext-jwt-allowed --primary-ext-jwt-allowed-signers <extjwtIdFromStep2>
- Save the resulting
auth-policy
id
- Create two identities (client, server)
ziti edge create identity service cid1 --external-id cid1 -a jwtchat -P <authPolicyIdFromStep3>
ziti edge create identity service cid2 --external-id cid2 -a jwtchat -P <authPolicyIdFromStep3>
- Create at least one Edge Router
ziti edge create edge-router myRouter <myRouter.yml> -o myRouter.jwt
ziti router enroll <myRouter.yml> -j myRouter.jwt
- Create a service named
jwtchat
with attribute jwtchat
ziti edge create service jwtchat -a jwtchat
- Creat an Edge Router Policy that gives the new identities access to your Edge Routers
ziti edge create edge-router-policy jwtchat --identity-roles #jwtchat --edge-router-roles #all
- Create a Service Edge Router Policy that allows
jwtchat
service usage on your Edge Routers
ziti edge create service-edge-router-policy jwtchat --service-roles #jwtchat --edge-router-roles #all
- Create a Service Policy that allows your identities access to the
jwtchat
service
ziti edge create service-policy jwtchatDial Dial --service-roles #jwtchat --identity-roles #jwtchat
ziti edge create service-policy jwtchatBind Bind --service-roles #jwtchat --identity-roles #jwtchat
- Start the
jwtchat-idp
process
- Start the
jwtchat-server
process
- Start the
jwtchat-client
process