I'm looking at Kong to replace my current hand-rolled NodeJS API gateway. Currently I have a user service that handles authentication (written in Django) by providing a JWT back upon login, which the client then passes in through a header. My current API gateway then intercepts any calls, does a validation call back to the user service, and replaces the JWT Header with <code>X-User-Id</code> and <code>X-User-Email</code>. As far as I can tell, Kong can do roughly the same thing. I'm trying to figure out the flow of how this should work in a perfect world. I still have the opportunity to replace much of the infrastructure, so rewriting some services is not completely out of the question. So, in my mind, what would happen is the following: <ol> <li>User registers on my site. I then create a new consumer with their username/id on Kong</li> <li>User logs in. This is where I get stuck. Do I log in (or in this case, simply authenticate the user as being said user), ask Kong for the JWT for this consumer, and return that? What if I wanted some more data in the payload of the JWT? What happens on Kong's side when the JWT expires?</li> <li>When the user requests a service, Kong will the sniff out the JWT from the headers, replace it with <code>X-Consumer-*</code> - is that correct? </li> </ol> Please do correct me if my thinking is wrong, or if there is a better way to achieve this. I'm fairly new to the whole microservices thing.

I'm working on a similar setup and these are my finding/ conclusions at the moment: User sign up has to be the way you describe. Upon login I do believe there are two possible ways to solve this: <ol> <li>Store the consumer_id in your user database, </li> <li>Store the jwt key and secret in your user database.</li> </ol> In scenario 1 you'll have to get the jwt key and secret from kong and generate a jwt token and use this token to do requests to your kong services. Scenario 2 is pretty much identical to scenario 1 except you don't have to do any requests to kong in order to generate a jwt token. You can add additional payload parameters to the jwt token but these are not passed down to your upstream services. It does however seem like this plugin solves this issue (I have not tested this yet): https://github.com/wshirey/kong-plugin-jwt-claims-headers Kong passes on the custom_id and username from the jwt consumer to the upstream service upon authorization, like this: <pre class="prettyprint"><code>x-consumer-custom-id: [245] x-consumer-username: ['my-test-user'] x-consumer-id: ['1e9e25dd-396f-4195-94fc-f2a8bd8447a2'] </code></pre> It also passes on the entire authorization header

Authentication with Kong

Tags:

authentication

django

restful-authentication

microservices

kong

I'm looking at Kong to replace my current hand-rolled NodeJS API gateway. Currently I have a user service that handles authentication (written in Django) by providing a JWT back upon login, which the client then passes in through a header. My current API gateway then intercepts any calls, does a validation call back to the user service, and replaces the JWT Header with X-User-Id and X-User-Email.

As far as I can tell, Kong can do roughly the same thing. I'm trying to figure out the flow of how this should work in a perfect world. I still have the opportunity to replace much of the infrastructure, so rewriting some services is not completely out of the question.

So, in my mind, what would happen is the following:

User registers on my site. I then create a new consumer with their username/id on Kong
User logs in. This is where I get stuck. Do I log in (or in this case, simply authenticate the user as being said user), ask Kong for the JWT for this consumer, and return that? What if I wanted some more data in the payload of the JWT? What happens on Kong's side when the JWT expires?
When the user requests a service, Kong will the sniff out the JWT from the headers, replace it with X-Consumer-* - is that correct?

Please do correct me if my thinking is wrong, or if there is a better way to achieve this. I'm fairly new to the whole microservices thing.

366

asked Apr 11 '17 15:04

iLikeBreakfast

1 Answers

I'm working on a similar setup and these are my finding/ conclusions at the moment:

User sign up has to be the way you describe.

Upon login I do believe there are two possible ways to solve this:

Store the consumer_id in your user database,
Store the jwt key and secret in your user database.

In scenario 1 you'll have to get the jwt key and secret from kong and generate a jwt token and use this token to do requests to your kong services.

Scenario 2 is pretty much identical to scenario 1 except you don't have to do any requests to kong in order to generate a jwt token.

You can add additional payload parameters to the jwt token but these are not passed down to your upstream services. It does however seem like this plugin solves this issue (I have not tested this yet):

https://github.com/wshirey/kong-plugin-jwt-claims-headers

Kong passes on the custom_id and username from the jwt consumer to the upstream service upon authorization, like this:

x-consumer-custom-id: [245]
x-consumer-username: ['my-test-user']
x-consumer-id: ['1e9e25dd-396f-4195-94fc-f2a8bd8447a2']

It also passes on the entire authorization header

191

answered Oct 12 '22 20:10

Kristian Lunde

Related questions
                            
                                Django foreign key on_delete: how to pass argument to callable when using models.SET
                            
                                How to make dynamic content display across a grid using Django with Bootstrap?
                            
                                django reg extend - current transaction is aborted, commands ignored until end of transaction block
                            
                                Mongo connections never released - Django and Mongoengine running on gunicorn with gevent
                            
                                Doing "group by" in django but still retaining complete object
                            
                                Always treat a ForeignKey field like it was in raw_id_fields in Django Admin
                            
                                cannot add inline to django site admin framework
                            
                                Reset sorl Thumbnail for a Django site
                            
                                PyDev + Django - undefined variables from import
                            
                                Errors installing mysql-python on Azure
                            
                                User authentication using django-oauth-toolkit
                            
                                AngularJS Django Rest Framework - trying to replicate JS object raised on 400 server error
                            
                                How to use django formsets to create a survey app with questions and answers?
                            
                                Django makemessages javascript (xgettext)
                            
                                Database trouble deploying django app to amazon beanstalk
                            
                                How to implement django otp?
                            
                                How to filter haystack results with db query
                            
                                Django: changing image size and upload to S3
                            
                                Profiling Django with PyCharm
                            
                                Pass Django CSRF token to Angular with CSRF_COOKIE_HTTPONLY

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With