-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[request] JWT Plugin #519
Comments
👍 |
What is expected that this plugin do? Receive a JWT, validate it against a secret (one secret by user? If so users must also give their usernames in the claims) and forward the claims to the upstream API if valid? That seems very limited to me. Any other logic is application-dependant and cannot be reasonably integrated into Kong. Let me know what your use cases would be. |
@lucamaraschi @jasonmotylinski-dowjones @jerizm @thefosk ^ are you guys thinking about something like this: https://github.com/auth0/nginx-jwt |
@sinzone the plugin looks great to me...I would also add the capability of generating a JWT token (issuer). |
I don't think we can do everything the plugin does, only validating a JWT and forward it to upstream if valid the rest is custom logic. You would have to create secrets (just like the Basic auth plugin needs a password for each consumer) for each of your consumers and they would have to set their username as well in the request, so this doesn't fully respect the JWT specs I believe. Also what do you mean by "generating a JWT token"? |
@thibaultcha how do you see then a normal JWT flow from an app/web site perspective? |
A client would simply send a JWT signed with a secret retrieved by Kong, along with the username (eventually in the JWT claims) to Kong, and Kong would validate it. If it is valid, Kong forwards it to the upstream API, if not, Kong discards it. Again, if you have any other use cases, please share. |
It makes sense to me. |
👍 Sounds good to me @thibaultcha |
Ok, one JWT plugin coming right away then. |
JWT has been implemented, and available with 0.5.0 at https://getkong.org/plugins/jwt/ |
Support for JSON Web Token authentication.
We had a try with #404, but never merged because we wanted to use lua-resty-jwt.
The text was updated successfully, but these errors were encountered: