Skip to main content

Service Setup

To get started, let's create a new folder called service under the React application folder. cd into the folder and run:

yarn init -yyarn add express express-jwt jwks-rsa cors express-jwt-aserto dotenv

To the .env file we created previously, we'll add the following:

JWKS_URI=https://acmecorp.demo.aserto.com/dex/keysISSUER=https://acmecorp.demo.aserto.com/dexAUDIENCE=acmecorp-app

In the service folder, Create a file called api.js - that will be our server. To this file, we'll add the following dependencies:

require('dotenv').config()const express = require('express')const jwt = require('express-jwt')const jwksRsa = require('jwks-rsa')const cors = require('cors')const app = express()

In the next section we define the middleware function which will call our identity provider to verify the validity of the JWT (and also enable CORS): Express.js will pass the call to the checkJwt middleware which will determine whether the JWT sent to it is valid or not. If it is not valid, Express.js will return a 403 (Forbidden) response.

//Paste after the dependencies
const checkJwt = jwt({  // Dynamically provide a signing key based on the kid in the header and the signing keys provided by the JWKS endpoint  secret: jwksRsa.expressJwtSecret({    cache: true,    rateLimit: true,    jwksRequestsPerMinute: 5,    jwksUri: process.env.JWKS_URI,  }),
  // Validate the audience and the issuer  audience: process.env.AUDIENCE,  issuer: process.env.ISSUER,  algorithms: ['RS256'],})

Lastly, we set up a protected route which will use the checkJwt middleware:

// Enable CORSapp.use(cors())
// Protected API endpointapp.get('/api/protected', checkJwt, function (req, res) {  //send the response  res.json({    secretMessage: 'Here you go, very sensitive information for ya!',  })})
// Launch the API Server at localhost:8080app.listen(8080)

Awesome! our service will be listening on port 8080 and we set up a protected endpoint. In the next section we'll test this endpoint by updating our application to send a JWT token.