Skip to content

Instantly share code, notes, and snippets.

@vukhanhtruong

vukhanhtruong/Kong-JWT.md

Last active November 21, 2018 09:24
Show Gist options
  • Save vukhanhtruong/a415ae6f085902efdd988af77027c4fb to your computer and use it in GitHub Desktop.
Save vukhanhtruong/a415ae6f085902efdd988af77027c4fb to your computer and use it in GitHub Desktop.
Download ZIP
Example to use JWT with Kong API Gateway
Raw
Kong-JWT.md

Kong with JWT Auth

Prerequisite

Start Kong

git clone git@github.com:Kong/docker-kong.git
cd docker-kong/compose
docker-compose up -d
  • Kong Admin runs at http://localhost:8001
  • Kong Proxy runs at http://localhost:8000

Create Kong API Service

Note: Change {your-service-name} to your own service name

http POST http://localhost:8001/services  \
			name="{your-service-name}" \
			url="http://192.168.99.100:32248"

Output

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 258
Content-Type: application/json; charset=utf-8
Date: Wed, 21 Nov 2018 04:53:42 GMT
Server: kong/0.14.1

{
    "connect_timeout": 60000,
    "created_at": 1542776022,
    "host": "192.168.99.100",
    "id": "a1d35b57-da18-4a1c-8734-deaa7f63761c", # Copy this Id
    "name": "user-svc",
    "path": null,
    "port": 30846,
    "protocol": "http",
    "read_timeout": 60000,
    "retries": 5,
    "updated_at": 1542776022,
    "write_timeout": 60000
}

Enable JWT Plugin For Route

  • Add the custom host name to your hosts file.
  • Assume that we use the hostname service.local. So, just execute this command echo "127.0.0.1 service.local" >> /etc/hosts
  • Replace {your-service-id} by the service id in the previous step.
 http POST http://localhost:8001/routes \
 				hosts:='["service.local"]' \
				paths:='["/"]' \
				service:='{"id": "{your-service-id}"}'

Output

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 291
Content-Type: application/json; charset=utf-8
Date: Wed, 21 Nov 2018 04:56:21 GMT
Server: kong/0.14.1

{
    "created_at": 1542776181,
    "hosts": [
        "service.local"
    ],
    "id": "2f76bb47-8e10-4f8a-92d2-798153d71425", # Copy this Id
    "methods": null,
    "paths": [
        "/"
    ],
    "preserve_host": false,
    "protocols": [
        "http",
        "https"
    ],
    "regex_priority": 0,
    "service": {
        "id": "a1d35b57-da18-4a1c-8734-deaa7f63761c"
    },
    "strip_path": true,
    "updated_at": 1542776181
}

Enable JWT Plugin For Route

  • Replace {your-route-id} by the route id in the previous step.
http POST http://localhost:8001/routes/{your-route-id}/plugins name="jwt"

Output

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 315
Content-Type: application/json; charset=utf-8
Date: Wed, 21 Nov 2018 07:31:45 GMT
Server: kong/0.14.1

{
    "config": {
        "anonymous": "",
        "cookie_names": {},
        "key_claim_name": "iss",
        "maximum_expiration": 0,
        "run_on_preflight": true,
        "secret_is_base64": true,
        "uri_param_names": [
            "jwt"
        ]
    },
    "created_at": 1542785506000,
    "enabled": true,
    "id": "5367122d-121c-4d73-a88e-9eb5e524292f",
    "name": "jwt",
    "route_id": "2f76bb47-8e10-4f8a-92d2-798153d71425"
}

Create a Kong Consumer

Find out more here

http POST http://localhost:8001/consumers \
   username="sam"

Output

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 104
Content-Type: application/json; charset=utf-8
Date: Wed, 21 Nov 2018 07:39:38 GMT
Server: kong/0.14.1

{
    "created_at": 1542785978,
    "custom_id": null,
    "id": "c50e47ea-38c1-48e1-a0c0-e2fde00475f6",
    "username": "sam"
}

Create JWT Credentials for User

http POST http://localhost:8001/consumers/sam/jwt

Output

HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 231
Content-Type: application/json; charset=utf-8
Date: Wed, 21 Nov 2018 07:40:18 GMT
Server: kong/0.14.1

{
    "algorithm": "HS256",
    "consumer_id": "c50e47ea-38c1-48e1-a0c0-e2fde00475f6",
    "created_at": 1542786019000,
    "id": "c44261b4-3fdd-4d42-be40-cfcbd4ffebae",
    "key": "CYDqzeQ0427MfZQ7wABuYSXPxBkQpgWh",     # Issuer
    "secret": "orYGrUbXyQ1VBFPRwnlDwakS18gOQNZI"   # Sigin key
}

Key and Secret were used for generate access token.

Craft JWT using https://www.jsonwebtoken.io/

  • Issuer (key from above): CYDqzeQ0427MfZQ7wABuYSXPxBkQpgWh
  • Signin Key (secret from above): orYGrUbXyQ1VBFPRwnlDwakS18gOQNZI
  • Create the payload similiar like this
{
  "iss": "CYDqzeQ0427MfZQ7wABuYSXPxBkQpgWh",
  # you can add extra data if you want
}

Results in JWT String: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJZUkdFSFNPcDNsWUxlcWl2VTE2UkZtWXNaWTNTandCMiIsImp0aSI6ImY2YjJiMDZlLTljYmYtNDVmOC05ZDFhLTBjOGU4NDk0OGIzMCIsImlhdCI6MTU0Mjc4NjMxMSwiZXhwIjoxNTQyNzg5OTExfQ.gP2y-yx7_pLidKYP_SnIqLs38mjXVX3e7HqFTONDnKY

Issue request to API endpoint with JWT in header

curl http://service.local:8000/ \
    -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJZUkdFSFNPcDNsWUxlcWl2VTE2UkZtWXNaWTNTandCMiIsImp0aSI6ImY2YjJiMDZlLTljYmYtNDVmOC05ZDFhLTBjOGU4NDk0OGIzMCIsImlhdCI6MTU0Mjc4NjMxMSwiZXhwIjoxNTQyNzg5OTExfQ.gP2y-yx7_pLidKYP_SnIqLs38mjXVX3e7HqFTONDnKY'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment