Do I need to create a consumer for every user on my website to use the JWT plugging

[michael....@gmail.com]

Hi, I have a SPA with many registered users, and I'd like to secure API requests using Kong and JWTs.  Do I need a consumer in Kong for every register user to generate JWT credentials?

I'm trying to avoid having all my register users in two places (Kong and authentication server)

Thanks,

Michael

[Marco]

You can create multiple consumers and leverage the "custom_id" property to map Kong consumers to your primary database. Or you can create one consumer with multiple JWT credentials, but it seems like in your scenario you really want to go with the first option.

Cheers

 Marco Palladino | CTO @ Mashape | mashape.com | +1 (415) 361-3858

--
You received this message because you are subscribed to the Google Groups "Kong" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konglayer+...@googlegroups.com.
To post to this group, send email to kong...@googlegroups.com.
Visit this group at https://groups.google.com/group/konglayer.
To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/9b4a36c5-cee6-4e49-af7e-3ed4ede3d837%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Giannini]

Cool, thanks.  So if I have 100k registered users on my site, I'll need 100k consumers to leverage the "custom_id" property?  I don't see the need for consumers since at the time of JWT creation I'll have the custom_id and can add that into the claim directly  (kong won't add the header, X-Consumer-Custom-ID, automatically though). 

Maybe the JWT plugin isn't designed for my scenario, the documentation mentions "consumer represents a developer using the final service/API."  That's not how I want to use it.

[Marco]

There are two ways. 

Either you migrate every consumer, and then associate a JWT credential to it. In this way the JWT credential belongs to a consumer (https://getkong.org/plugins/jwt/#create-a-jwt-credential), and you can associate multiple JWT credentials per consumer. Think of the consumer as a developer, and the JWT credential as the credential that the client "application" is using (a developer can have more applications). 

Of course you can always create just one consumer called "global" and then create 100k JWT credentials, and that would work fine, except you will be losing some depth in managing the relationship consumer <> credentials. It's really up to you.

 Marco Palladino | CTO @ Mashape | mashape.com | +1 (415) 361-3858

[Michael Giannini]

Makes sense, thanks!

[rile...@gmail.com]

Hi Marco - thanks for this explanation. Can you just confirm that it should be OK to make one consumer and one credential per user?

For example, our app has two million users, stored in mongodb. Right now our app generates and validates JWTs, but I would like to move that responsibility to Kong. Will Kong be happy to have two million consumers of a single api? What about 200 million?

Thanks again!

Riley

[Marco]

> Can you just confirm that it should be OK to make one consumer and one credential per user?

Not only that's okay, but that's the recommended way :) 

> Will Kong be happy to have two million consumers of a single api? What about 200 million?

Technically that shouldn't be an issue, I would recommend setting up a POC where you can experiment with a higher number of users, in order to optimize the connection between Kong and the datastore and make sure we tune everything properly.

Cheers

 Marco Palladino | CTO @ Mashape | mashape.com | +1 (415) 361-3858

To view this discussion on the web visit https://groups.google.com/d/msgid/konglayer/22168d9c-fdfb-4450-a669-609973e4ac62%40googlegroups.com.

[Riley Eynon-Lynch]

Great! Some of the docs mention one consumer per developer, and I didn't see any docs that talk about one consumer per application end-user. Thanks for the confirmation! 

We're only at 2M users right now, but I'll definitely set up a POC first, thanks for the heads up.

Thanks again!

[chris....@gmail.com]

In my opinion, your authentication server should be a consumer with a single JWT credential. You should then sign your bearer tokens with this credential and have the claims contain the user id. Then, assuming kong forwarded a request to a backend service, you know it is authenticated (because kong verified the signature), the x-consumer-custom-id header will be the consumer name of your authentication service, and to obtain user data, you simply decode (without verifying) the token.