I am evaluating Kong right now and I am wondering if our usecase will fit to Kong at all. So basically we have microservice infrastructure and managing users/companies our own. APIs are by itself (Spring Security) protected by JWT and expect the token to be present in the header.
Now, we would like to use Kong as the API Gateway and though of pre-validating any request (validating the EXISTING JWT). It seems everything (especially plugins like Rate-Limiting etc.) in Kong are bound on top of the in-build “consumers”, but I don’t want to replicate nor sync our internal database of users with Kong to keep them in sync, I’d rather use our existing JWT Tokens and use the userId or companyId inside that token to apply stuff like authentication, rate-limiting etc.
How are you doing it?