I have question regarding JWT plugin for Kong.
After a lot of research I managed to configure JWT plugin to verify Firebase’s JWTs forged by Firebase Auth service. I’ve configured plugin to use “kid” as “key_claim_name” and have put two credentials for single consumer based on https://firstname.lastname@example.org.
Now this verifies token good, but it’s a generic verification for Firebase. This doesn’t check the “aud” claim at all. I expect that I could only pass requests with target “aud” specified.
Is it possible to verify aud (on top of kid and possibly iss)?
If not what is the pattern here? Should service (microservice) check it on it’s own?