I’m attempting to setup JWT authentication in kong/ingress-controller.
So far it seems to recognize the token and checks expiration and such just as expected, and it also returns unauthorized if not token is passed.
The problem is that it doesn’t seem to validate the integrity of the token, I can mess with the signature or other parts of the token and it’s still accepted. I expected that the signature would always be checked.
I must have missed something, I’ll post the resources I’ve deployed below:
JWT plugin:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
clusterName: “”
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: kong
global: “false”
helm.sh/chart: kong-2.1.2
name: kong-jwt
namespace: acc3-iot-kong
plugin: jwt
kong consumer:
apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
clusterName: “”
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: kong
helm.sh/chart: kong-2.1.2
name: kong
namespace: acc3-iot-kong
username: kong
kong credential:
apiVersion: configuration.konghq.com/v1
config:
algorithm: RS256
key: http://localhost:8080/auth/realms/iot
rsa_public_key: |-
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
consumerRef: kong
kind: KongCredential
metadata:
clusterName: “”
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: kong
helm.sh/chart: kong-2.1.2
name: kong
namespace: acc3-iot-kong
type: jwt
Is there something I’ve missed, like an option to turn on signature validation or something?
Also the kong version is 1.1.2, and ingress-controller 0.4.0. I’m running db-less in kubernetes/openshift