Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Short example to use JWT with Kong

JWT Kong Example

  • Get and Start Kong and Co
git clone
cd docker-kong/compose
docker-compose up
  • Create Kong API Route
curl -X POST http://localhost:8001/apis/ \
   --data "request_path=/skywalkerDemo" \
   --data "upstream_url=" \
   --data "strip_request_path=true"
  • Enable JWT Plugin For Route
curl -X POST http://localhost:8001/apis/skywalkerDemo/plugins \
    --data "name=jwt" \ 
    --data "config.secret_is_base64=true"
  • Create a Kong Consumer
curl -X POST http://localhost:8001/consumers \
   --data "username=bill"
  • Create JWT Credentials for User and Note key and secret from response
curl -H "Content-Type: application/json" -X POST -d '{}' http://localhost:8001/consumers/bill/jwt

Response: {"secret":"b9f813fb8753440eabb1b44f9ba4da2f",
  • Craft JWT using e.g.

    • Issuer (key from above): cef1fe6937e444a6b18a26965d619718
    • Key (secret from above): b9f813fb8753440eabb1b44f9ba4da2f

    Results in JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjZWYxZmU2OTM3ZTQ0NGE2YjE4YTI2OTY1ZDYxOTcxOCIsImlhdCI6bnVsbCwiZXhwIjpudWxsLCJhdWQiOiIiLCJzdWIiOiIifQ.50bnA9d3wjIYIx6m-fzxIHQHfXF6zuJRPMUdk8-4LTU

  • Issue request to API endpoint with JWT im header

curl http://localhost:8000/skywalkerDemo \
    -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjZWYxZmU2OTM3ZTQ0NGE2YjE4YTI2OTY1ZDYxOTcxOCIsImlhdCI6bnVsbCwiZXhwIjpudWxsLCJhdWQiOiIiLCJzdWIiOiIifQ.50bnA9d3wjIYIx6m-fzxIHQHfXF6zuJRPMUdk8-4LTU'

Copy link

nabanita18 commented Jul 11, 2017

I am getting {"message":"Bad token; invalid JSON"}
while trying above. Any way to resolve this error.

Copy link

berttejeda commented Jul 21, 2017

@nabanita18, the same happened to me, but I got past it by using the correct portion of the JWT response (from Auth0).
In my case, I had to use the .id_token property of the JSON response.
Here was my approach:

                       \"grant_type\":   \"password\",
                       \"username\":    \"\",
                       \"password\":    \"123456\",
                       \"client_id\":  \"${MY_AUTH0_CLIENTID}\",
                       \"client_secret\":  \"${MY_AUTH0_CLIENTSECRET}\"
ACCESS_TOKEN_RESPONSE=$(echo ${RO_PAYLOAD} | curl -X POST --header 'Content-Type: application/json' --data-binary @-

The variable $ACCESS_TOKEN_RESPONSE should now contain a value similar to:

{"access_token":"ABCDEFG123456","expires_in":86400,"scope":"openid profile email address phone","id_token":"123456ABDEFGHIJKLMNOP","token_type":"Bearer"}

To format the access token:

ACCESS_TOKEN=$(echo $ACCESS_TOKEN_RESPONSE | jq -r '.id_token')

Finally, testing the KONG API

curl -X GET --url http://${my_kong_host}:8000/get -H 'Host:' -H "Authorization:Bearer ${ACCESS_TOKEN}"

Note my use of the jq command.

Copy link

pravsjv commented Oct 5, 2017


I'm getting the following issue while trying to setup
{"message":"No credentials found for given 'iss'"}

Could you please help me with any solution.

Copy link

pravsjv commented Mar 20, 2018

Fixed this issue. Solution:
Copied the keycloak.json client in the webapp and as well copied the client_secret while generating the token.

Copy link

aliabbas-2012 commented Jul 6, 2018

I am facing same issue for services and routes. I am not able to solve this issue.Will you help me ?

Copy link

code2design commented Jul 13, 2018

@aliabbas-2012 what is the issue your facing? Can you put more details?

Copy link

aliabbas-2012 commented Jul 15, 2018

{"message":"No credentials found for given 'iss'"}

Copy link

jwthomp commented Jul 30, 2018

@aliabbas-2012 Make sure that the value that is set in the iss claim is the same name you have given to the jwt credential for it's key you setup for the consumer.

Copy link

Kolesar commented May 14, 2020

With this, we can very easy cheating browser session.

For example:
I will logged-in with my Browser, take the JWT Bearer token from there, and put in the CURL/Postman to get access.

How can we avoid it, actually?

Copy link

tavisca-abhaya commented Aug 2, 2021

How do kong JWT plugins get to know which consumer to use?

As there is no refers of no plugin ID/routeID/ServiceID in consumer configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment