Best practice for using Kong with JWT
4,502 views
Skip to first unread message
Márk Sági-Kazár
Aug 21, 2016, 12:39:14 PM8/21/16
to Kong
Hi there,
I am looking at Kong for quite a few weeks now, and I have to say I really like what I see.
I would like to use it with an existing microservice setup (replace the existing, custom gateway).
The exposed API uses JWT authentication from an existing database of users.
At first sight, there are three obvious questions to be cleared:
1. What's the best way to migrate existing users?
2. How to integrate Kong into the existing registration/authentication flow.
3. How to synchronize user changes (created/deleted users).
Question 1 seems pretty easy: write a one time script which creates Consumers from the user database within Kong.
Number two is a little bit harder and more challenging from a design perspective, because my application needs to now about Kong being in the picture. Best thing I can do is writing a separate service which listens to different events and keeps Kong and the user service in sync, but I still see a possible danger of inconsistency. As for authentication Kong must be integrated into the auth service as it provides the JWT keys.
There are also more hidden problems with using the JWT plugin in an infrastructure like this. For example: JWTs are self-container, meaning my auth service MUST BE able to add custom claims to the token. The client should be able to utilize refresh tokens, which is also not possible with the JWT plugin at the moment.
I wonder whether the JWT plugin is actually suitable for such purpose, or it is rather a tool for machine/developer authorization.
I saw similar questions coming up on the mailing list, but I didn't find a proper answer for my questions. Is there a blog post summarizing similar issues like these? Are there any best practices for integrating Kong and authentication plugins into already existing environments?
Right at the moment, I am thinking about the following: implement a custom authentication plugin which uses my already existing user services for token creation and only validates JWT without using the Consumer concept of Kong. How would that work together with other auth related things (ACLs, etc)?
Thank you very much for any help in advance.
Regards,
Mark
I am looking at Kong for quite a few weeks now, and I have to say I really like what I see.
I would like to use it with an existing microservice setup (replace the existing, custom gateway).
The exposed API uses JWT authentication from an existing database of users.
At first sight, there are three obvious questions to be cleared:
1. What's the best way to migrate existing users?
2. How to integrate Kong into the existing registration/authentication flow.
3. How to synchronize user changes (created/deleted users).
Question 1 seems pretty easy: write a one time script which creates Consumers from the user database within Kong.
Number two is a little bit harder and more challenging from a design perspective, because my application needs to now about Kong being in the picture. Best thing I can do is writing a separate service which listens to different events and keeps Kong and the user service in sync, but I still see a possible danger of inconsistency. As for authentication Kong must be integrated into the auth service as it provides the JWT keys.
There are also more hidden problems with using the JWT plugin in an infrastructure like this. For example: JWTs are self-container, meaning my auth service MUST BE able to add custom claims to the token. The client should be able to utilize refresh tokens, which is also not possible with the JWT plugin at the moment.
I wonder whether the JWT plugin is actually suitable for such purpose, or it is rather a tool for machine/developer authorization.
I saw similar questions coming up on the mailing list, but I didn't find a proper answer for my questions. Is there a blog post summarizing similar issues like these? Are there any best practices for integrating Kong and authentication plugins into already existing environments?
Right at the moment, I am thinking about the following: implement a custom authentication plugin which uses my already existing user services for token creation and only validates JWT without using the Consumer concept of Kong. How would that work together with other auth related things (ACLs, etc)?
Thank you very much for any help in advance.
Regards,
Mark
Márk Sági-Kazár
Sep 9, 2016, 3:49:16 PM9/9/16
to Kong
Hi there,
Does anyone have any input on this?
Thanks,
Mark
Does anyone have any input on this?
Thanks,
Mark
Thibault Charbonnier
Sep 9, 2016, 4:06:25 PM9/9/16
to kong...@googlegroups.com
On 8/21/16 9:39 AM, Márk Sági-Kazár wrote:
> 2. How to integrate Kong into the existing registration/authentication
> flow.
Maybe consider the Consumer's 'custom_id' property. When Kong
> 2. How to integrate Kong into the existing registration/authentication
> flow.
authenticates a Consumer (from any authentication plugin), it will send
a few headers to your upstream services. See the "upstream headers"
section of the plugin's doc.
> but I still see a possible danger of inconsistency.
That is true. I don't see a specific solution to this.
> There are also more hidden problems with using the JWT plugin in an
> infrastructure like this. For example: JWTs are self-container,
> meaning my auth service MUST BE able to add custom claims to the
> token. The client should be able to utilize refresh tokens, which is
> also not possible with the JWT plugin at the moment.
Indeed, the plugin only verifies that JWT tokens are valid, its primary
> infrastructure like this. For example: JWTs are self-container,
> meaning my auth service MUST BE able to add custom claims to the
> token. The client should be able to utilize refresh tokens, which is
> also not possible with the JWT plugin at the moment.
goal is to take care of this, allowing your upstream services to
consider them valid and simply decode them.
> Right at the moment, I am thinking about the following: implement a
> custom authentication plugin which uses my already existing user
> services for token creation and only validates JWT without using the
> Consumer concept of Kong. How would that work together with other auth
> related things (ACLs, etc)?
Some plugins in Kong require that your request be authenticated with one
> custom authentication plugin which uses my already existing user
> services for token creation and only validates JWT without using the
> Consumer concept of Kong. How would that work together with other auth
> related things (ACLs, etc)?
of Kong's Consumers (ACL is a good and obvious example). If you wish to
"authenticate" a Consumer, simply set the 'ngx.ctx.authenticated_*'
values. See the key-auth plugin for example:
https://github.com/Mashape/kong/blob/master/kong/plugins/key-auth/handler.lua#L101-L102
Best,
Thibault
hai...@gmail.com
Jan 11, 2017, 4:55:02 AM1/11/17
to Kong
Hi,
I am relatively new to Kong and unable to understand how to use the JWT Plugin for authentication.
Typically, my User Service will add a consumer when a new user [say "User1" ] gets created.
When "User1" logs in, my UserService will get a JWT Credential from Kong and will be relayed back in a HTTP Response to the SPA Client.
The Client will further use this JWT in subsequent requests. Is my understanding correct.
I am not sure of the end to end flow with Kong and its JWT Plugin. Any help is highly appreciated !!
Thanks.
Poule Dodue
Jan 12, 2017, 3:54:57 AM1/12/17
to Kong, hai...@gmail.com
You have a thread here: https://groups.google.com/forum/#!searchin/konglayer/consumers|sort:relevance/konglayer/XHnVEGoxZqo/cYFAJDqqAwAJ
I ended up integrating the way chris@..........gmail.com is doing it (last message of the thread)
Reply all
Reply to author
Forward
0 new messages