How to handle different keys for different services?

Hi, all!

I’ve run into a rut and was hoping someone here could give me a tip. We are in the works of running Kong as our API-gateway, but before we can do it properly we need to figure out how to link our User -> Kong -> Service API, where we are running a bunch of different services in the back end.
The problem is: each service is using a different API key/Athentication method for each user.

Preferably, if possible, we’d like to have it as follows:
User calls api.ourkong/servicename with one key specific for Kong -> Kong checks the key, and if correct routes the call to the correct service + adds the user-specific key/authentication for the service in question.

This will require storing the keys somewhere (or getting them from the service using the service API), which could either be done using some plugin (if it exists) or by routing to a “middleman” service which handles the storing or getting of the keys (if such a “middleman” plugin exists for Kong).

Has anyone dealt with something similar, and if so how have you solved it?
Would the best solution simply be to force the user to supply the different keys for the different services, if it’s not possible to solve the “one-to-many” key exchange idea?

Happy for any help or ideas,

We have been using JWT token for this purpose so you would be able to varify the given token signature to make sure, it hasn’t been tampered, it’s gonna end up having jwt token itself will be contained required claims to be used in each API Authorization solution

The problem is we can’t enter API keys into the different services - each service generates their own API key, so we need to be able to add them to some storage either in Kong or that Kong can access. Is this possible using JWT, can I add custom data to different user tokens?

We’re also looking at using the nokia/kong-oidc plugin for authenticating, maybe we could add individual access tokens to Keycloak and include them that way?

JWT token can consist of user information and it’s permissions / roles / groups and you are able to have custom claims / fields if it’s needed.

Kong can verify the given token by the request but you also need to have token generator seperately