[security] Session based kong authorizer #3132
Unanswered
mod
asked this question in
Feature Requests
Replies: 1 comment
-
Hey @mod - that sounds awesome. It's worth pointing out that we don't have Kong fork so that part would need to be contributed directly to the main Kong org: https://github.com/kong/ For the GoTrue side, we have a fork where we are implementing asymmetric key signing, and this will be exposed on the Dashboard. Also - thanks for the sponsorship 🎉 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is a security enhancement,
We are using a similar Authentification mechanism with our open-source project openware/barong
But after long research we have decided to not expose the JWT and keep it behind the gateway.
We expose to the end-user a session-id or a one-time-token,
This allow to have instant and secure logout, we are also adding at the gateway level ip resolution to invalidate session,
blacklist, or maintenance page.
We would like to contribute a golang or LUA Kong plugin, which would be an optional security hardening.
Merging this would benefit both our companies.
Beta Was this translation helpful? Give feedback.
All reactions