Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[request] JWT Plugin #519

Closed
subnetmarco opened this issue Aug 28, 2015 · 11 comments
Closed

[request] JWT Plugin #519

subnetmarco opened this issue Aug 28, 2015 · 11 comments
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports.

Comments

@subnetmarco
Copy link
Member

Support for JSON Web Token authentication.

We had a try with #404, but never merged because we wanted to use lua-resty-jwt.

@subnetmarco subnetmarco added idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports. request labels Aug 28, 2015
@lucamaraschi
Copy link

👍

@thibaultcha
Copy link
Member

What is expected that this plugin do? Receive a JWT, validate it against a secret (one secret by user? If so users must also give their usernames in the claims) and forward the claims to the upstream API if valid? That seems very limited to me. Any other logic is application-dependant and cannot be reasonably integrated into Kong.

Let me know what your use cases would be.

@sonicaghi
Copy link
Member

@lucamaraschi @jasonmotylinski-dowjones @jerizm @thefosk ^

are you guys thinking about something like this: https://github.com/auth0/nginx-jwt

@lucamaraschi
Copy link

@sinzone the plugin looks great to me...I would also add the capability of generating a JWT token (issuer).
Can we also reference, in the description of the plugin, the associated JWT standard?

@thibaultcha
Copy link
Member

I don't think we can do everything the plugin does, only validating a JWT and forward it to upstream if valid the rest is custom logic. You would have to create secrets (just like the Basic auth plugin needs a password for each consumer) for each of your consumers and they would have to set their username as well in the request, so this doesn't fully respect the JWT specs I believe. Also what do you mean by "generating a JWT token"?

@lucamaraschi
Copy link

@thibaultcha how do you see then a normal JWT flow from an app/web site perspective?

@thibaultcha
Copy link
Member

A client would simply send a JWT signed with a secret retrieved by Kong, along with the username (eventually in the JWT claims) to Kong, and Kong would validate it. If it is valid, Kong forwards it to the upstream API, if not, Kong discards it. Again, if you have any other use cases, please share.

@lucamaraschi
Copy link

It makes sense to me.

@jerizm
Copy link

jerizm commented Sep 14, 2015

👍 Sounds good to me @thibaultcha

@thibaultcha
Copy link
Member

Ok, one JWT plugin coming right away then.

@subnetmarco
Copy link
Member Author

JWT has been implemented, and available with 0.5.0 at https://getkong.org/plugins/jwt/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
idea/new plugin [legacy] those issues belong to Kong Nation, since GitHub issues are reserved for bug reports.
Projects
None yet
Development

No branches or pull requests

5 participants