How to set a RS256 public key to verify JWT?

Hey, I’m using kong 2.0.1with helm and I’m trying to config the JWT plugin so I can verify authenticated requests. I have setup the following KongPlugin and KongConsumer:

kind: KongConsumer
  name: datashift-consumer
username: global-consumer
custom_id: global-consumer-id
  - ds-jwt-public
kind: KongPlugin
  name: api-gateway-kong-plugin
  global: "false"
  run_on_preflight: false
plugin: jwt
consumer: datashift-consumer-staging

and then I created the following secret:

k create secret generic ds-jwt-public --from-literal=kongCredType=jwt --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...."

The jwt credential gets created (checked with GET /jwts) but when I try to send a request with an issued JWT I get "message": "No credentials found for given 'iss'"

  • What I’m missing in the configuration that the plugin isn’t finding the credential to validate the token?
  • In the secret creation, how can I set the key algorithm to RS256? I have tried with the option --from-literal=algorithm=RS256 but the credential doesn’t get created in GET /jwts

I’m not a JWT expert but you probably need to provide JWT secret as well while creating the secret so that it is deterministic else it will be auto-generated on every sync.

k create secret generic ds-jwt-public \
  --from-literal=kongCredType=jwt \
  --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...." 

Don’t rely on auto-generated fields with Ingress Controller.

Hey, I could get it to work. My issue was that I was getting a validation failure with the rsa_public_key field when I passed the RS256 key with \n for line breaks. I think it was trying to escape that character and the key ended up with \\n instead of \n which failed the validation. Just passing it with the actual line breaks worked:

k create secret generic ds-jwt-public \
--from-literal=kongCredType=jwt  \ 
--from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----" \ \ 
1 Like

Hi @Agustin_Daguerre

If you see my message, I have the same issue as you

I can’t load the signing key use to verify the tokens as a secret

I use Azure AD as identity provider

I tried to :

  • use one line for load the secret (without )
  • fill all fields (secret,…) , I see on the doc that all fields are required (rsa_public_key, algorithm,…)

The command I use (I modify the rsa key on this post) :

kubectl create secret generic poc-msf-aad
–from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----MIIDBTCCAe2gAwIBAgIQQiR8gZNKuYpH6cP+KIE5ijANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMDgyODAwMDAwMFoXDTI1MDgyODAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkymupuRhTpZc+6CBxQpL0SaAb+8CzLiiDyx2xRoecjojvKN2pKKjIX9cejMSDRoWaOnZCK4VZVX1iYRCWT1WkHb8r1ZpSGa7oXG89zxjKjwG46tiamwdZjJ7Mhh8fqLz9ApucY/LICPMJuu6d56LKs6hb4OpjylTvsNUAa+bHg1NgMFNg0fPCxdr9N2Y4J+Jhrz3VDl4oU0KDZX/pyRXblzA8kYGWm50dh5WB4WoB8MtW3lltVrRGj8/IgTf9GxpBsO9OWgwVByZHU7ctZs7AmUbq/59Ipql7vSM6EsoquXdMiq0QOcZAPitwzHkTKrmeULz0/RHnuBGXxS//AS2CMA0GCSqGSIb3DQEBCwUAA4IBAQDFnKQ98CBnvVd4OhZP0KpaKbyDv93PGukE1ifWilFlWhvDde2mMv/ysBCWAR8AGSb1pAW/ZaJlMvqSN/+dXihcHzLEfKbCPw4/Mf2ikq4gqigt5t6hcTOSxL8wpe8OKkbNCMcU0cGpX5NJoqhJBt9SjoD3VPq7qRmDHX4h4nniKUMI7awI94iGtX/vlHnAMU4+8y6sfRQDGiCIWPSyypIWfEA6/O+SsEQ7vZ/b4mXlghUmxL+o2emsCI1e9PORvm5yc9Y/htN3Ju0x6ElHnih7MJT6/YUMISuyob9/mbw8Vf49M7H2t3AE5QIYcjqTwWJcwMlq5i9XfW2QLGH7K5i8-----END PUBLIC KEY-----"

And I have always this error :

“failed to update kong configuration: posting new config to /config: 400 Bad Request {“fields”:{“consumers”:[{“jwt_secrets”:[{“rsa_public_key”:“invalid key”,”@entity":[“failed conditional validation given value of field ‘algorithm’”]}]}]},“name”:“invalid declarative configuration”,“code”:14,“message”:“declarative config is invalid: {consumers={{jwt_secrets={{[\”@entity\"]={\“failed conditional validation given value of field ‘algorithm’\”},rsa_public_key=\“invalid key\”}}}}}"}"

Thanks a lot for your help

Did you find the solution for your problem?
I have the same where I get invalid key. I used jwk to pem convertor, pem to jwk convert online, jwk openssl format pem to convert my jwk to a public key.

finally I can figure out with the nokia-oidc plugin, I have abandonned the jwt plugin