JWT token not issued by Kong - how to map to consumer


I have somewhat of an issue with the JWT plugin and I feel like i’m missing something, wanted to see if i can get some clarifications.

So, this is our use case:

We want Kong ONLY to validate JWT tokens on an API request, not to create & manage them.
We have our own authentication system that generates JWT tokens for our end users. These tokens short-lived, let’s say ~1 hour.

We would like only to keep the “secret” in Kong so that when a user makes a request with the “Authorization: Bearer” header Kong can validate the token.

So, where’s the problem? We also want to use Kong’s Consumers, mostly for rate-limiting (that’s the only use case we currently know of, there might be others in the future), but as I mentioned before, we cant create a Consumer in Kong and assign a JWT token to it, we can only identify the end user after reading the token (using the JWT claim).

If I understand correctly, the only solution is to use a plugin that can map the request to a Consumer using the JWT claim, and this is something that is available only using the enterprise edition JWT plugin (here), not the community one. Am I right here?


1 Like

This is exactly my use case to support. Did you confirm that the only solution is to use a enterprise edition JWT plugin that can map the request to a Consumer using the JWT claim

actually no, you CAN do that with the community plugin.
use the “config.key_claim_name” setting to set a field in your JWT claim that will be used to match to a current consumer.
so for example, if you configured that “config.key_claim_name=sub”, then you need to have a consumer with “custom_id=X”, then create jwt_credentials for this consumer with “key=X”, and now if a token will arrive and the “sub” field will be X then it will be matched with this consumer. hope it was clear :slight_smile: