How to set a RS256 public key to verify JWT?

Hey, I’m using kong 2.0.1with helm and I’m trying to config the JWT plugin so I can verify authenticated requests. I have setup the following KongPlugin and KongConsumer:

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: datashift-consumer
username: global-consumer
custom_id: global-consumer-id
credentials:
  - ds-jwt-public
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: api-gateway-kong-plugin
labels:
  global: "false"
config:
  run_on_preflight: false
plugin: jwt
consumer: datashift-consumer-staging

and then I created the following secret:

k create secret generic ds-jwt-public --from-literal=kongCredType=jwt --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...."

The jwt credential gets created (checked with GET /jwts) but when I try to send a request with an issued JWT I get "message": "No credentials found for given 'iss'"

  • What I’m missing in the configuration that the plugin isn’t finding the credential to validate the token?
  • In the secret creation, how can I set the key algorithm to RS256? I have tried with the option --from-literal=algorithm=RS256 but the credential doesn’t get created in GET /jwts

I’m not a JWT expert but you probably need to provide JWT secret as well while creating the secret so that it is deterministic else it will be auto-generated on every sync.

k create secret generic ds-jwt-public \
  --from-literal=kongCredType=jwt \
  --from-literal=rsa_public_key="-----BEGIN PUBLIC KEY----- ...." 
  --from-literal=algorithm=RS256
  --from-literal=secret="<your-secret>"
  --from-literal=key="<your-key>"

Don’t rely on auto-generated fields with Ingress Controller.

Hey, I could get it to work. My issue was that I was getting a validation failure with the rsa_public_key field when I passed the RS256 key with \n for line breaks. I think it was trying to escape that character and the key ended up with \\n instead of \n which failed the validation. Just passing it with the actual line breaks worked:

k create secret generic ds-jwt-public \
--from-literal=kongCredType=jwt  \ 
--from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----
first-key-line
second-key-line
-----END PUBLIC KEY-----" \ 
--from-literal=key=iss.com \ 
--from-literal=algorithm=RS256

Hi @Agustin_Daguerre

If you see my message, I have the same issue as you

I can’t load the signing key use to verify the tokens as a secret

I use Azure AD as identity provider

I tried to :

  • use one line for load the secret (without )
  • fill all fields (secret,…) , I see on the doc that all fields are required (rsa_public_key, algorithm,…)

The command I use (I modify the rsa key on this post) :

kubectl create secret generic poc-msf-aad
–from-literal=kongCredType=jwt
–from-literal=rsa_public_key="-----BEGIN PUBLIC KEY-----MIIDBTCCAe2gAwIBAgIQQiR8gZNKuYpH6cP+KIE5ijANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMDgyODAwMDAwMFoXDTI1MDgyODAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkymupuRhTpZc+6CBxQpL0SaAb+8CzLiiDyx2xRoecjojvKN2pKKjIX9cejMSDRoWaOnZCK4VZVX1iYRCWT1WkHb8r1ZpSGa7oXG89zxjKjwG46tiamwdZjJ7Mhh8fqLz9ApucY/LICPMJuu6d56LKs6hb4OpjylTvsNUAa+bHg1NgMFNg0fPCxdr9N2Y4J+Jhrz3VDl4oU0KDZX/pyRXblzA8kYGWm50dh5WB4WoB8MtW3lltVrRGj8/IgTf9GxpBsO9OWgwVByZHU7ctZs7AmUbq/59Ipql7vSM6EsoquXdMiq0QOcZAPitwzHkTKrmeULz0/RHnuBGXxS//AS2CMA0GCSqGSIb3DQEBCwUAA4IBAQDFnKQ98CBnvVd4OhZP0KpaKbyDv93PGukE1ifWilFlWhvDde2mMv/ysBCWAR8AGSb1pAW/ZaJlMvqSN/+dXihcHzLEfKbCPw4/Mf2ikq4gqigt5t6hcTOSxL8wpe8OKkbNCMcU0cGpX5NJoqhJBt9SjoD3VPq7qRmDHX4h4nniKUMI7awI94iGtX/vlHnAMU4+8y6sfRQDGiCIWPSyypIWfEA6/O+SsEQ7vZ/b4mXlghUmxL+o2emsCI1e9PORvm5yc9Y/htN3Ju0x6ElHnih7MJT6/YUMISuyob9/mbw8Vf49M7H2t3AE5QIYcjqTwWJcwMlq5i9XfW2QLGH7K5i8-----END PUBLIC KEY-----"
–from-literal=algorithm=RS256
–from-literal=key=“toto.com
–from-literal=secret=dummy

And I have always this error :

“failed to update kong configuration: posting new config to /config: 400 Bad Request {“fields”:{“consumers”:[{“jwt_secrets”:[{“rsa_public_key”:“invalid key”,”@entity":[“failed conditional validation given value of field ‘algorithm’”]}]}]},“name”:“invalid declarative configuration”,“code”:14,“message”:“declarative config is invalid: {consumers={{jwt_secrets={{[\”@entity\"]={\“failed conditional validation given value of field ‘algorithm’\”},rsa_public_key=\“invalid key\”}}}}}"}"

Thanks a lot for your help


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ