How to set a RS256 public key to verify JWT?

Hey, I’m using kong 2.0.1with helm and I’m trying to config the JWT plugin so I can verify authenticated requests. I have setup the following KongPlugin and KongConsumer:

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: datashift-consumer
username: global-consumer
custom_id: global-consumer-id
credentials:
  - ds-jwt-public
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: api-gateway-kong-plugin
labels:
  global: "false"
config:
  run_on_preflight: false
plugin: jwt
consumer: datashift-consumer-staging

and then I created the following secret:

k create secret generic ds-jwt-public --from-literal=kongCredType=jwt --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...."

The jwt credential gets created (checked with GET /jwts) but when I try to send a request with an issued JWT I get "message": "No credentials found for given 'iss'"

  • What I’m missing in the configuration that the plugin isn’t finding the credential to validate the token?
  • In the secret creation, how can I set the key algorithm to RS256? I have tried with the option --from-literal=algorithm=RS256 but the credential doesn’t get created in GET /jwts

I’m not a JWT expert but you probably need to provide JWT secret as well while creating the secret so that it is deterministic else it will be auto-generated on every sync.

k create secret generic ds-jwt-public \
  --from-literal=kongCredType=jwt \
  --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...." 
  --from-literal=algorithm=RS256
  --from-literal=secret="<your-secret>"
  --from-literal=key="<your-key>"

Don’t rely on auto-generated fields with Ingress Controller.

Hey, I could get it to work. My issue was that I was getting a validation failure with the rsa_public_key field when I passed the RS256 key with \n for line breaks. I think it was trying to escape that character and the key ended up with \\n instead of \n which failed the validation. Just passing it with the actual line breaks worked:

k create secret generic ds-jwt-public \
--from-literal=kongCredType=jwt  \ 
--from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----
first-key-line
second-key-line
-----END PUBLIC KEY-----" \ 
--from-literal=key=iss.com \ 
--from-literal=algorithm=RS256

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ