You can use Traffic Policy to add authentication to your endpoints, granting conditional access to traffic trying to reach your services. This page demonstrates a few example rules that do so.

JWT authentication

This rule adds key-based rate limiting to your endpoints based on your consumers’ JWTs. See the Auth0 guide for more information. 
on_http_request:
  -     name: Add JWT authentication and rate limiting
    actions:
      -         type: rate-limit
        config:
          name: Only allow 30 requests per minute
          algorithm: sliding_window
          capacity: 30
          rate: 60s
          bucket_key:
            - req.headers['x-api-key']
      -         type: jwt-validation
        config:
          issuer:
            allow_list:
              -                 value: https://<YOUR-AUTH-PROVIDER>
          audience:
            allow_list:
              -                 value: <YOUR-NGROK-DOMAIN>
          http:
            tokens:
              -                 type: jwt
                method: header
                name: Authorization
                prefix: Bearer 
          jws:
            allowed_algorithms:
              - RS256
            keys:
              sources:
                additional_jkus:
                  - https://<YOUR-AUTH-PROVIDER>/.well-known/jwks.json
See the rate-limit Traffic Policy action docs for more information.

Conditional access using OAuth variables

This rule grants conditional access to a page using the following ngrok OAuth action result variables:
  1. actions.ngrok.oauth.identity.email.endsWith('@ngrok.com')
    1. Checks the email address of the authorized user from the provider. In the example, if the email address’s domain is ngrok.com, the user will be granted access to the page.
  • actions.ngrok.oauth.identity.name
    1. Gets the name of the authorized user from the provider. In this example, the name will be displayed in a welcome message or a rejection message depending on if the user is authenticated.
on_http_request:
  -     name: OAuth
    actions:
      -         type: oauth
        config:
          auth_id: oauth
          provider: google
  -     name: good email
    expressions:
      - actions.ngrok.oauth.identity.email.endsWith('@ngrok.com')
    actions:
      -         type: custom-response
        config:
          body: Welcome ${actions.ngrok.oauth.identity.name}!
          status_code: 200
  -     name: bad email
    expressions:
      - !actions.ngrok.oauth.identity.email.endsWith('@ngrok.com')
    actions:
      -         type: custom-response
        config:
          body: Hey, no auth for you ${actions.ngrok.oauth.identity.name}!
          status_code: 400
See the oauth Traffic Policy action docs for more information.

Sending an OIDC identity token over headers

This rule uses the actions.ngrok.oidc.identity_token OIDC action result variable to send the OIDC identity token over headers to the service at the endpoint. 
on_http_request:
  -     name: OIDC
    actions:
      -         type: openid-connect
        config:
          issuer_url: https://accounts.google.com
          client_id: <your-oidc-client-id>
          client_secret: <your-oidc-client-secret>
          scopes:
            - openid
            - profile
            - email
  -     name: Headers
    actions:
      -         type: add-headers
        config:
          headers:
            id-token: ${actions.ngrok.oidc.identity_token}
See the openid-connect Traffic Policy action docs for more information.