I am using the Kong API Gateway in DB-less mode as a sidecar container. This does the JWT verification for my RS256 tokens.
I have got this working by supplying a static public key as part of the kong.yml.
I now need to update what I have done so it uses a JWKS endpoint in order to get the public keys that it uses. I have thought of a number of approaches to this and I would like to know what others think.
-
I could establish a second process in the kong container that independatly access the JWKS endpoint. If it finds a changed set of keys it could re-generate a new kong.yml and call the API endpoint to refresh the Kong configuration.
-
I could take a copy of the current JWT plugin from https://github.com/Kong/kong/tree/master/kong/plugins/jwt and alter it so that it does the retrival and caching process.
-
In the JWT plugin I have noticed it retrieves the key from the DB (or cache)
https://github.com/Kong/kong/blob/master/kong/plugins/jwt/handler.lua#L160
I was thinking is it possible to write a global JWKS loader plugin that runs every 10 minutes, checks the endpoint and populates the kong DB/cache with the result? This would have the effect of making the existing JWT plugin work with the keys provided.
I would like to know thoughts on the above or if I am missing an easier solution.
(I am aweare of the jwt-signer plugin but that seems to be enterprise only and it only seems to be for signing upstream requests.)