In the fast-paced world of API-driven development, securing communication between services using authentication and authorization mechanisms such as JSON Web Tokens (JWTs) is crucial. Developers often employ mocking tools to emulate API responses and behaviours, streamlining the development and testing process.
Many API testing and mocking tools excel at generating fake tokens for testing against live APIs with OAuth authorization already in place. However, developers often face challenges when building API consumers and the secured API endpoint is not yet ready. This gap in the market leaves developers searching for solutions that can accurately simulate secured API endpoints during development. A powerful mocking tool called Orbital, by Foci Solutions (https://orbitalmock.app/) steps in to address this need, providing a comprehensive mocking solution that allows developers to effectively test API consumers even when the secured API endpoints are still under development.
By validating JWTs, Orbital empowers developers to replicate real-world API situations, ensuring their applications manage authentication and authorization effectively, ultimately leading to more secure and reliable applications.
To set up JWT validation in Orbital, we’ll guide you through a simple three-step process using the Orbital Designer. This process will enable you to secure your mock APIs effectively, allowing you to simulate real-world scenarios with ease.
1. Configure the mock to use Token Validation: In the Orbital Designer, enable Token Validation when creating a new mock or editing an existing mock. This will allow your mock to perform JWT validation for incoming requests.
2. Configure the individual endpoints to use JWT validation: Next, navigate to each endpoint you wish to secure with JWT validation. From the ‘Validation Type’ drop-down list, select ‘JWT Validation’. This will ensure that each specified endpoint validates the JWT before processing the request.
3. Optionally, configure the endpoints to check JWT content: If you want to validate the content of a JWT in your mock API endpoints, you can configure specific token details to be checked. From the ‘Validation Type’ drop-down list, select the, ‘JWT Validation and Contents’. On the endpoint Request tab, specify the properties you want to check and their expected values. This will allow the endpoint to not only validate the token, but will also ensure that it contains the correct information.
In addition to configuring JWT validation in the Orbital Designer, you will also need to provide the OpenID discovery endpoint when starting the Orbital mock server. This endpoint allows Orbital to fetch the public keys required for validating a JWT in incoming requests.
To configure Orbital to use the discovery endpoint, follow these steps:
- Determine the discovery endpoint: Locate the discovery endpoint for your identity provider. This endpoint usually follows the pattern `https://[your_identity_provider]/.well-known/openid-configuration`. You can find the endpoint in your identity provider’s documentation or by contacting their support.
- Run the Orbital mock server Docker command with the environment variable set: When starting the Orbital mock server using the focisolutions/orbitalmock:latest image, pass the discovery endpoint as the value for the ORBITAL_PUB_KEYS__JWKS_ENDPOINT environment variable.
By following these steps and providing the appropriate configuration, you’ll be able to effectively set up JWT validation in your Orbital mock APIs, allowing you to create a more realistic testing environment for your applications.