I have somewhat of an issue with the JWT plugin and I feel like i’m missing something, wanted to see if i can get some clarifications.
So, this is our use case:
We want Kong ONLY to validate JWT tokens on an API request, not to create & manage them.
We have our own authentication system that generates JWT tokens for our end users. These tokens short-lived, let’s say ~1 hour.
We would like only to keep the “secret” in Kong so that when a user makes a request with the “Authorization: Bearer” header Kong can validate the token.
So, where’s the problem? We also want to use Kong’s Consumers, mostly for rate-limiting (that’s the only use case we currently know of, there might be others in the future), but as I mentioned before, we cant create a Consumer in Kong and assign a JWT token to it, we can only identify the end user after reading the token (using the JWT claim).
If I understand correctly, the only solution is to use a plugin that can map the request to a Consumer using the JWT claim, and this is something that is available only using the enterprise edition JWT plugin (here), not the community one. Am I right here?