Skip to main content
Version: Current

Test API

Finally, to conclude, we will test the API Gateway by making a call to the application's API. This means bypassing the user interface.

To do this, we will authenticate using the token previously created.

Authentication will return a JWT ticket which will allow us to access the /get API previously tested via the user interface.

warning

Be aware that JWT tokens are only valid for 15 minutes.

Authenticate

Open a terminal and execute the following command, replacing 0f6f8cf5-c68e-4236-982e-0edc16d2438a with the token you previously created:

curl -D - -X POST http://localhost:8080/api/jwt/v1/auth -H "Content-Type: text/plain" -d "0f6f8cf5-c68e-4236-982e-0edc16d2438a"

You should receive something similar to this:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Referrer-Policy: no-referrer
content-length: 1291

{
  "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI4ZDQzNjM4Ni05ZjI5LTQxNzAtYTgwYS1kYTBiMGFlMmZiYjIiLCJ1c2VybmFtZSI6ImFyY2h3YXkiLCJyb2xlcyI6WyJIVFRQQklOX1RFU1RFUiJdLCJvcmdhbml6YXRpb25JZCI6IjY2M2EzNzE2OGEyNTM2MTM0Zjc1YmU4NiIsIm9yZ2FuaXphdGlvbk5hbWUiOiJNQUlOIiwic3ViIjoiNjYzYTI1YTM4YTI1MzYxMzRmNzViZTQyIiwiaXNzIjoiYXJjaHdheSIsImlhdCI6MTcxNzE4NDMwOCwibmJmIjoxNzE3MTg0MzA4LCJleHAiOjE3MTcxODUyMDh9.Tav4fVDfaWZi5qdMlnH1I14HCV4HGIG-bVgWCAq1RkqWveEhQpYG8goII9mFY6DseyV6h6LZAUu_kbgH0Nf9NO_rL-LyUid7_vrxuDoZUGZrDJ7H5NUocqz5tP9-4bByjK4APFq5jJbLtLDYbJLUrUE5dyc5yyGoCuweYBr-4hUC8GCC6vOck2a_iJ6_DZuJ9kY9oclTT6oJu_3xZgtBs7xeZtOK-FE2cNqS0jND5_S_p1xvO07QC4A5DwNRCkWBDrAjuo1a80BS3zybDh27Nspk-IzAwjoRAgdABH7jPyKYP_8vGLuF2Aiyz4y_rAa_3opikm97XdVRSv2iu-ImyQ",
  "refresh_token":"eyJ0eXAiOiJSRUZSRVNIIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI2NjNhMjVhMzhhMjUzNjEzNGY3NWJlNDIiLCJpc3MiOiJhcmNod2F5IiwiaWF0IjoxNzE3MTg0MzA4LCJuYmYiOjE3MTcxODQzMDgsImV4cCI6MTcxNzIwNTkwOH0.LUpejsaeJhdTo-NXPf7iYWR1SrJpcNICxJJJusRb0RIc-fMPGuU7ipuSUpK8JVvwMlOXbh6wp5shzOAw8op6DnoSu1fmy_lVgTHy8HpfebdJcKuKyknmT7DAENj1cpPZ4trodlH8q2Yn3D5d9gw9CKso84dt0wy9uJv8tcqP025oX6ge-f1bg-kvXnE4T8Y-HF5K7gyWC-q2EkgllPeM7BLap3AANX7ESqh4dW4jUgZLiZXhwqMNft_dyy-mbAPgYxWHA5_XJbZGr2K7ebY7Agi8Ytu8Vlm0WAeaTwRMdgt48QT7S6eUyqWgMOZdYHhCk5beGyl5BPTJC39M9XOi_g"
}

Token JWT

The part that interests us here is access_token.

This is the JWT token that will allow us to access the /get API.

All we have to do is make a call to the /get API.

curl -v -k http://127.0.0.1:8080/get -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI4ZDQzNjM4Ni05ZjI5LTQxNzAtYTgwYS1kYTBiMGFlMmZiYjIiLCJ1c2VybmFtZSI6ImFyY2h3YXkiLCJyb2xlcyI6WyJIVFRQQklOX1RFU1RFUiJdLCJvcmdhbml6YXRpb25JZCI6IjY2M2EzNzE2OGEyNTM2MTM0Zjc1YmU4NiIsIm9yZ2FuaXphdGlvbk5hbWUiOiJNQUlOIiwic3ViIjoiNjYzYTI1YTM4YTI1MzYxMzRmNzViZTQyIiwiaXNzIjoiYXJjaHdheSIsImlhdCI6MTcxNzE4NDMwOCwibmJmIjoxNzE3MTg0MzA4LCJleHAiOjE3MTcxODUyMDh9.Tav4fVDfaWZi5qdMlnH1I14HCV4HGIG-bVgWCAq1RkqWveEhQpYG8goII9mFY6DseyV6h6LZAUu_kbgH0Nf9NO_rL-LyUid7_vrxuDoZUGZrDJ7H5NUocqz5tP9-4bByjK4APFq5jJbLtLDYbJLUrUE5dyc5yyGoCuweYBr-4hUC8GCC6vOck2a_iJ6_DZuJ9kY9oclTT6oJu_3xZgtBs7xeZtOK-FE2cNqS0jND5_S_p1xvO07QC4A5DwNRCkWBDrAjuo1a80BS3zybDh27Nspk-IzAwjoRAgdABH7jPyKYP_8vGLuF2Aiyz4y_rAa_3opikm97XdVRSv2iu-ImyQ'

With the result:

Result
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /get HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization: Bearer ...
> 
< HTTP/1.1 200 OK
< date: Fri, 31 May 2024 19:39:59 GMT
< content-type: application/json
< server: gunicorn/19.9.0
< access-control-allow-origin: *
< access-control-allow-credentials: true
< content-length: 1414
< x-http2-stream-id: 3
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 0
< Referrer-Policy: no-referrer
< 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Accept-Language": "en", 
    "Authorization": "Bearer ...", 
    "Content-Length": "0", 
    "Forwarded": "proto=http;host=\"127.0.0.1:8080\";for=\"127.0.0.1:39042\"", 
    "Host": "httpbin.org", 
    "Organizationid": "663a37168a2536134f75be86", 
    "Organizationname": "MAIN", 
    "Remote-User": "663a25a38a2536134f75be42", 
    "Roles": "[\"HTTPBIN_TESTER\"]", 
    "User-Agent": "curl/7.88.1", 
    "Username": "archway", 
    "X-Amzn-Trace-Id": "Root=1-665a278f-5ced49262d8633411e984471", 
    "X-Forwarded-Host": "127.0.0.1:8080"
  }, 
  "origin": "127.0.0.1, 86.247.228.169", 
  "url": "https://127.0.0.1:8080/get"
}
* Connection #0 to host 127.0.0.1 left intact

If we decode the JWT, we have:

{
  "typ": "JWT",
  "alg": "RS256"
}
{
  "jti": "8d436386-9f29-4170-a80a-da0b0ae2fbb2",
  "username": "archway",
  "roles": ["HTTPBIN_TESTER"],
  "organizationId": "663a37168a2536134f75be86",
  "organizationName": "MAIN",
  "sub": "663a25a38a2536134f75be42",
  "iss": "archway", // Note: here it is the name of the issuing application
  "iat": 1717184308,
  "nbf": 1717184308,
  "exp": 1717185208
}

It is of course signed, to ensure its authenticity.