Authenticate Consumers with the JWT plugin

Uses: Kong Gateway decK

Deployment Platform:

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
- Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
- Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

 export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:

 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

Run the quickstart script:

 curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA 

Once Kong Gateway is ready, you will see the following message:

 Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

Run the following command:

echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Create a Consumer

Consumers let you identify the client that’s interacting with Kong Gateway. We’re going to use JWT authentication in this tutorial, so the Consumer needs a key and secret to access any Kong Gateway Services.

We’re specifying the key and secret here, but you can leave it out of the configuration in production if you want Kong Gateway to autogenerate it.

Create a Consumer:

echo '
_format_version: "3.0"
consumers:
  - username: jsmith
    jwt_secrets:
    - algorithm: HS256
      key: YJdmaDvVTJxtcWRCvkMikc8oELgAVNcz
      secret: C50k0bcahDhLNhLKSUBSR1OMiFGzNZ7X
' | deck gateway apply -

Enable authentication

Authentication lets you identify a Consumer. In this how-to, we’ll be using the JWT plugin for authentication, which allows users to authenticate with a JWT token when they make a request.

Enable the plugin globally, which means it applies to all Kong Gateway Services and Routes:

echo '
_format_version: "3.0"
plugins:
  - name: jwt
    config:
      header_names:
      - authorization
      key_claim_name: iss
' | deck gateway apply -

Sign the Consumer credential

Since we specified the HS256 algorithm when we were configuring the Consumer credentials, we need to sign our credential before we can use it for authentication. JWT credentials are signed with a header, payload, and the secret.

The header value is:

{
    "typ": "JWT",
    "alg": "HS256"
}

Since we configured iss for the config.key_claim_name, we’ll specify the Consumer’s key in the iss payload:

{
   "iss": "YJdmaDvVTJxtcWRCvkMikc8oELgAVNcz"
}

The secret is the value we set in the Consumer credentials previously:

C50k0bcahDhLNhLKSUBSR1OMiFGzNZ7X

Using the JWT debugger with the header (HS256), claims (iss), and secret associated with this key, you’ll end up with a JWT token of:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJZSmRtYUR2VlRKeHRjV1JDdmtNaWtjOG9FTGdBVk5jeiJ9.xG-DrlD4vcYBqhuhK_jrwFIALvVvU-qTOiNyIfUhn_Y

Save the token as an environment variable:

export JWT_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJZSmRtYUR2VlRKeHRjV1JDdmtNaWtjOG9FTGdBVk5jeiJ9.xG-DrlD4vcYBqhuhK_jrwFIALvVvU-qTOiNyIfUhn_Y"

Validate

When a Consumer authenticates with JWT, you can now use the signed credential in the authorization header.

First, run the following to verify that unauthorized requests return an error:

curl -i $KONNECT_PROXY_URL/anything

curl -i http://localhost:8000/anything

This request returns a 401 error with the message Unauthorized.

Then, run the following command to test Consumer authentication:

curl "$KONNECT_PROXY_URL/anything" \
     -H "Authorization: Bearer $JWT_TOKEN"\
     -H "Content-Type: application/json"

curl "http://localhost:8000/anything" \
     -H "Authorization: Bearer $JWT_TOKEN"\
     -H "Content-Type: application/json"

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

curl -Ls https://get.konghq.com/quickstart | bash -s -- -d