HAProxy Enterprise Documentation 2.5r1

Getting a Token

The proxy that will be accessing the web service needs a key pair to get the token required for access. For this, you need to subscribe to an authentication service. In our example, we use the Auth0 service because it's easy to set up.

To get a key and token using Auth0, follow these steps:

  1. Create an account with Auth0.

  2. Log in and go to Applications > APIs to create your API. This represents the API for which you'll require a token. When creating your API, note that the Identifier field will be the audience in the token (more on that later) and is typically a URL like https://api.mywebsite.com The Signing Algorithm can be RS256 or HS256. The former uses an X.509 key pair to verify the signature, while the latter uses a shared secret. HAProxy Enterprise supports both.

  3. In Auth0, go to Applications > Applications to create a Machine to Machine Applications that will be calling your API. When creating the application, you choose which APIs it should have access to and its permissions.

  4. Go to Applications > Applications > Your App > Settings > Advanced Settings > Certificates and download the public key for the application, which you'll reference when configuring HAProxy Enterprise. Convert the downloaded PEM file using this command:

$ openssl x509 -pubkey -noout -in ./myaccount.pem > pubkey.pem

You can then follow the Quick Start on the application's dashboard to see how to make a call to get an access token.

Use cURL to make a call to get an access token.

$ curl --request POST \
        --url https://myaccount.auth0.com/oauth/token \
        --header 'content-type: application/json' \
        --data '{"client_id":"abcd12345….","client_secret":"ABCD12345…","audience":"https://api.mywebsite.com","grant_type":"client_credentials"}'

{
  "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...",
  "scope":"read:myapp write:myapp",
  "expires_in":86400,
  "token_type":"Bearer"
}

This request returned an access token inside a JSON response, which expires after 24 hours.

To see what's inside the token, you can take it to jwt.io.

{
  "alg": "RS256",
  "typ": "JWT"
}
{
  "iss": "https://myaccount.auth0.com/",
  "aud": "https://api.mywebsite.com",
  "exp": 1662753594,
  "scope": "read write",
  "gty": "client-credentials"
}
{
  // RSASHA256 signature
}

The token contains three parts:

  • a header

  • a payload

  • a cryptographic signature

The header indicates which algorithm was used to sign the token. The payload contains the name of the issuer, the intended audience, the expiration date, and any permissions (also known as scopes).

Next up

Configuring a Proxy for OAuth Authorization