Skip to content

Instantly share code, notes, and snippets.

@martinheld

martinheld/KongJwt.md

Last active February 21, 2024 14:47
Show Gist options
  • Save martinheld/5b6591a1abd4c5ef844d6bd4f6eb1879 to your computer and use it in GitHub Desktop.
Save martinheld/5b6591a1abd4c5ef844d6bd4f6eb1879 to your computer and use it in GitHub Desktop.
Download ZIP
Short example to use JWT with Kong
Raw
KongJwt.md

JWT Kong Example

  • Get and Start Kong and Co
git clone [email protected]:Mashape/docker-kong.git
cd docker-kong/compose
docker-compose up
  • Create Kong API Route
curl -X POST http://localhost:8001/apis/ \
   --data "request_path=/skywalkerDemo" \
   --data "upstream_url=https://www.finleap.com" \
   --data "strip_request_path=true"
  • Enable JWT Plugin For Route
curl -X POST http://localhost:8001/apis/skywalkerDemo/plugins \
    --data "name=jwt" \ 
    --data "config.secret_is_base64=true"
  • Create a Kong Consumer
curl -X POST http://localhost:8001/consumers \
   --data "username=bill"
  • Create JWT Credentials for User and Note key and secret from response
curl -H "Content-Type: application/json" -X POST -d '{}' http://localhost:8001/consumers/bill/jwt

Response: {"secret":"b9f813fb8753440eabb1b44f9ba4da2f",
  "id":"33dacbca-ce7d-4305-a213-1ce7b8f7af71",
  "algorithm":"HS256",
  "created_at":1473085487000,
  "key":"cef1fe6937e444a6b18a26965d619718",
  "consumer_id":"67c90d83-636b-4c36-85ac-a14eac54ebe2"}

  • Craft JWT using e.g. http://jwtbuilder.jamiekurtz.com/

    • Issuer (key from above): cef1fe6937e444a6b18a26965d619718
    • Key (secret from above): b9f813fb8753440eabb1b44f9ba4da2f

    Results in JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjZWYxZmU2OTM3ZTQ0NGE2YjE4YTI2OTY1ZDYxOTcxOCIsImlhdCI6bnVsbCwiZXhwIjpudWxsLCJhdWQiOiIiLCJzdWIiOiIifQ.50bnA9d3wjIYIx6m-fzxIHQHfXF6zuJRPMUdk8-4LTU

  • Issue request to API endpoint with JWT im header

curl http://localhost:8000/skywalkerDemo \
    -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjZWYxZmU2OTM3ZTQ0NGE2YjE4YTI2OTY1ZDYxOTcxOCIsImlhdCI6bnVsbCwiZXhwIjpudWxsLCJhdWQiOiIiLCJzdWIiOiIifQ.50bnA9d3wjIYIx6m-fzxIHQHfXF6zuJRPMUdk8-4LTU'
@jwthomp
Copy link

jwthomp commented Jul 30, 2018

@aliabbas-2012 Make sure that the value that is set in the iss claim is the same name you have given to the jwt credential for it's key you setup for the consumer.

@Kolesar
Copy link

Kolesar commented May 14, 2020

With this, we can very easy cheating browser session.

For example:
I will logged-in with my Browser, take the JWT Bearer token from there, and put in the CURL/Postman to get access.

How can we avoid it, actually?

@tavisca-abhaya
Copy link

tavisca-abhaya commented Aug 2, 2021
edited
Loading

How do kong JWT plugins get to know which consumer to use?

As there is no refers of no plugin ID/routeID/ServiceID in consumer configuration.

@sempaidev
Copy link

is not dinamic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment