Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication with Kong

Tags:

authentication

django

restful-authentication

microservices

kong

I'm looking at Kong to replace my current hand-rolled NodeJS API gateway. Currently I have a user service that handles authentication (written in Django) by providing a JWT back upon login, which the client then passes in through a header. My current API gateway then intercepts any calls, does a validation call back to the user service, and replaces the JWT Header with X-User-Id and X-User-Email.

As far as I can tell, Kong can do roughly the same thing. I'm trying to figure out the flow of how this should work in a perfect world. I still have the opportunity to replace much of the infrastructure, so rewriting some services is not completely out of the question.

So, in my mind, what would happen is the following:

  1. User registers on my site. I then create a new consumer with their username/id on Kong
  2. User logs in. This is where I get stuck. Do I log in (or in this case, simply authenticate the user as being said user), ask Kong for the JWT for this consumer, and return that? What if I wanted some more data in the payload of the JWT? What happens on Kong's side when the JWT expires?
  3. When the user requests a service, Kong will the sniff out the JWT from the headers, replace it with X-Consumer-* - is that correct?

Please do correct me if my thinking is wrong, or if there is a better way to achieve this. I'm fairly new to the whole microservices thing.

like image 366
iLikeBreakfast Avatar asked Apr 11 '17 15:04

iLikeBreakfast

People also ask

What is Kong authentication?

Kong supports a number of authentication plugins. These can be used to control traffic to upstream services, including both APIs and microservices. Authentication plugins can be configured to apply to service entities within the an API gateway.

Is Kong the best API Gateway?

Today, Kong Gateway is by far the most widely used open source API gateway in the world across different metrics. First, Kong today powers the world with approximately 9 trillion requests per month, a number that we derive from the anonymous reports that users can enable (or disable) in their Kong instances.

1 Answers

I'm working on a similar setup and these are my finding/ conclusions at the moment:

User sign up has to be the way you describe.

Upon login I do believe there are two possible ways to solve this:

  1. Store the consumer_id in your user database,
  2. Store the jwt key and secret in your user database.

In scenario 1 you'll have to get the jwt key and secret from kong and generate a jwt token and use this token to do requests to your kong services.

Scenario 2 is pretty much identical to scenario 1 except you don't have to do any requests to kong in order to generate a jwt token.

You can add additional payload parameters to the jwt token but these are not passed down to your upstream services. It does however seem like this plugin solves this issue (I have not tested this yet):

https://github.com/wshirey/kong-plugin-jwt-claims-headers

Kong passes on the custom_id and username from the jwt consumer to the upstream service upon authorization, like this:

x-consumer-custom-id: [245]
x-consumer-username: ['my-test-user']
x-consumer-id: ['1e9e25dd-396f-4195-94fc-f2a8bd8447a2']

It also passes on the entire authorization header

like image 191
Kristian Lunde Avatar answered Oct 12 '22 20:10

Kristian Lunde
Sign in to Comment

Related questions

Django foreign key on_delete: how to pass argument to callable when using models.SET
How to make dynamic content display across a grid using Django with Bootstrap?
django reg extend - current transaction is aborted, commands ignored until end of transaction block
Mongo connections never released - Django and Mongoengine running on gunicorn with gevent
Doing "group by" in django but still retaining complete object
Always treat a ForeignKey field like it was in raw_id_fields in Django Admin
cannot add inline to django site admin framework
Reset sorl Thumbnail for a Django site
PyDev + Django - undefined variables from import
Errors installing mysql-python on Azure
User authentication using django-oauth-toolkit
AngularJS Django Rest Framework - trying to replicate JS object raised on 400 server error
How to use django formsets to create a survey app with questions and answers?
Django makemessages javascript (xgettext)
Database trouble deploying django app to amazon beanstalk
How to implement django otp?
How to filter haystack results with db query
Django: changing image size and upload to S3
Profiling Django with PyCharm
Pass Django CSRF token to Angular with CSRF_COOKIE_HTTPONLY

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!