Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kong and JWT without creating consumers

Tags:

jwt

kong

I am currently playing around with the Kong API Gateway and I would like to use it to validate the authentication of users at the gateway and restrict access to services if the user is not logged in properly. I have an authentication service which issues JWTs whenever a user logs in.

I would now like to share the JWT secret with Kong and use it for validation of the issued JWTs to secure services which need proper authentication.

I had a look at this plugin: https://getkong.org/plugins/jwt/

But it seems that this plugin works a bit different than what I would like to achieve. Why do I have to create consumers? I would like to have only one user database at my authentication service to avoid the need of synchronisation. It seems that the approach of this plugin is designed for giving 3rd party stakeholders access to my API.

Any hint would be highly appreciated.

like image 583
Magnus Avatar asked Mar 17 '16 12:03

Magnus


People also ask

What is consumer in Kong API gateway?

A consumer in kong is the application that is is using the API. So, unless you have multiple vendors using your app/web service, I suggest you create a single consumer. You can create multiple key and secret pair(JWT credentials) for that consumer. Create a JWT for a user by using the users Key and secret.

How does Microservice validate JWT?

For Authorization, the Microservice would need the JWT access token to be passed to it. It can then verify the JWT token & extract the user roles from the claims & accordingly allow/deny the request for the concerned endpoint.


2 Answers

The answer given by Riley is sort of correct in implementation but that is not the intended use of a consumer in the Kong.

A consumer in kong is the application that is is using the API. So, unless you have multiple vendors using your app/web service, I suggest you create a single consumer.

You can create multiple key and secret pair(JWT credentials) for that consumer. Create a JWT for a user by using the users Key and secret. Store this Key and secret in your current database along with your userID and other details. Create your JWT using these and return the JWT to the user.

Anything else you want to append as a claim can be added to the JWT while you are creating it. You can create a check for these claims in Kong. So, when you get a call to any of your APIs along with these JWT Kong will check the validity of the JWT(along with all the claims) and only then allow the access to the API.

like image 95
Pranjal Aneja Avatar answered Oct 11 '22 13:10

Pranjal Aneja


It seems to me that the design of the JWT plugin for Kong doesn't want to share a JWT secret with you - it wants to own the JWTs entirely. You will indeed have to create a consumer per user, and let Kong manage that.

I asked a few questions to confirm on the Google Group - see https://groups.google.com/forum/?fromgroups#!topic/konglayer/XHnVEGoxZqo

Two highlights:

Can you just confirm that it should be OK to make one consumer and one credential per user?

Not only that's okay, but that's the recommended way :)

and

Will Kong be happy to have two million consumers of a single api? What about 200 million?

Technically that shouldn't be an issue, I would recommend setting up a POC where you can experiment with a higher number of users, in order to optimize the connection between Kong and the datastore and make sure we tune everything properly.

like image 44
Riley Lark Avatar answered Oct 11 '22 15:10

Riley Lark