10

I am currently playing around with the Kong API Gateway and I would like to use it to validate the authentication of users at the gateway and restrict access to services if the user is not logged in properly. I have an authentication service which issues JWTs whenever a user logs in.

I would now like to share the JWT secret with Kong and use it for validation of the issued JWTs to secure services which need proper authentication.

I had a look at this plugin: https://getkong.org/plugins/jwt/

But it seems that this plugin works a bit different than what I would like to achieve. Why do I have to create consumers? I would like to have only one user database at my authentication service to avoid the need of synchronisation. It seems that the approach of this plugin is designed for giving 3rd party stakeholders access to my API.

Any hint would be highly appreciated.

Magnus
  • 390
  • 2
  • 12
  • 1
    Did you come to any insights about this? I'm in the same position – Riley Lark Mar 21 '16 at 23:41
  • Unfortunately not yet, I also tried contacting people from kong via gitter, with no luck. If I find something out I get back to you here. – Magnus Mar 22 '16 at 15:04
  • @Magnus Would you please change your choice of correct answer as suggested by the comments? Pranjal Aneja's answer should be marked as correct. – GGAnderson Apr 20 '19 at 20:55

3 Answers3

20

The answer given by Riley is sort of correct in implementation but that is not the intended use of a consumer in the Kong.

A consumer in kong is the application that is is using the API. So, unless you have multiple vendors using your app/web service, I suggest you create a single consumer.

You can create multiple key and secret pair(JWT credentials) for that consumer. Create a JWT for a user by using the users Key and secret. Store this Key and secret in your current database along with your userID and other details. Create your JWT using these and return the JWT to the user.

Anything else you want to append as a claim can be added to the JWT while you are creating it. You can create a check for these claims in Kong. So, when you get a call to any of your APIs along with these JWT Kong will check the validity of the JWT(along with all the claims) and only then allow the access to the API.

Pranjal Aneja
  • 232
  • 2
  • 2
  • 1
    The Kong documentation seems to contradict you "The easiest way to think about consumers is to map them one-on-one to users. Yet, to Kong this does not matter. The core principle for consumers is that you can attach plugins to them, and hence customize request behaviour. So you might have mobile apps, and define one consumer for each app, or version of it. Or have a consumer per platform, e.g. an android consumer, an iOS consumer, etc." https://getkong.org/docs/0.11.x/auth/#consumers – freakTheMighty Dec 21 '17 at 06:45
  • I think the docs are written with users of mashape.com in mind - users who are setting up services that will call APIs, NOT users who are signing up on your website to use the service that you're making. I agree this should be marked the correct answer – Riley Lark Jun 13 '18 at 21:17
8

It seems to me that the design of the JWT plugin for Kong doesn't want to share a JWT secret with you - it wants to own the JWTs entirely. You will indeed have to create a consumer per user, and let Kong manage that.

I asked a few questions to confirm on the Google Group - see https://groups.google.com/forum/?fromgroups#!topic/konglayer/XHnVEGoxZqo

Two highlights:

Can you just confirm that it should be OK to make one consumer and one credential per user?

Not only that's okay, but that's the recommended way :)

and

Will Kong be happy to have two million consumers of a single api? What about 200 million?

Technically that shouldn't be an issue, I would recommend setting up a POC where you can experiment with a higher number of users, in order to optimize the connection between Kong and the datastore and make sure we tune everything properly.

Community
  • 1
  • 1
Riley Lark
  • 20,660
  • 15
  • 80
  • 128
0

You can actually pass the secret to the JWT plugin when you create it:

$ curl -X POST http://kong:8001/consumers/${consumer_id}/jwt \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "secret=mysecret&consumer_id=${consumer_id}"

Davide Vernizzi
  • 1,327
  • 17
  • 25