Kong JWT Plugin and Auth0

Kong Hub
1

Hello everyone,

I’m new with Kong and I am stuck on something with my gateway.

I have an SPA which call multiple microservices running behind Kong and I’m trying to delegate authentication to him by using the JWT plugin with Auth0.

But I fail to achieve this…

I would like to have 1 consumer = 1 end user in order to add ACL Plugins after but for the moment it’s not my focus because the authentication part doesn’t work: frowning:

Is this possible to have 1 consumer = 1 end user and pass the JWT generate after login with Auth0 on my SPA (with default login form of Auth0) to Kong in order to verify this token and grant access to my backend apis ?

Thanks

2

JWT plugin can only be used to validate a JWT token. You can’t use JWT plugin for authorization code flow.

You can request a JWT token from Auth0 and then JWT plugin validates this token.

There is a section about using JWT plugin with Auth0 on official doc.

3

Thanks for reply, I success to do something but could you tell me if I’m wrong :
1 - User connect through my SPA with Auth0
2 - My SPA store accessToken/idToken of the user in order to make request to Kong gateway
3 - When my SPA need to call my backend, it use the user token stored before

With this, I success to call my API which is protected by Kong JWT plugin (and I think this is the part where you tell me this plugin is only for validation purpose with the public key of my Auth0 account).

But with this configuration I only have one consumer which represent my SPA application, so I have two questions :

  1. There is a way to make 1 consumer = 1 end user ?
  2. If not, there is a way to tell Kong that If the JWT is valid make an introspection of this token ? I would like to pass the request to a webservice in order to check which user emmit the request from the SPA (according to my Auth0 user’s informations)
4

If I understand correctly, there is only 1 signing key per Auth0 account which means you can only assign Auth0 public key to 1 Kong consumer.

This means I only have one consumer which represent my SPA application is the expected behaviour because JWT plugin only does the authentication part.

Your upstream app need to decode the JWT token (after authentication is passed) and return different content based on the info on it.

5

Yeah, I understand as the same for my use-case…

I found this on documentation :

Maybe this Plugin is a more complete solution ?

And for the JWT decode, I think is better to make my own plug-in that do the logic before redirect the request to my route right ?

That allow me to not edit all my microservices to handle JWT decode logic.

Thanks for your answers

6

OIDC is arguably the most powerful Kong plugin. It does all things you want. consumer mapping, introspection, authorization_code flow and much more.

If you are Kong enterprise customer, this is the plugin you need.

7

Oh, we need to be an enterprise customer, this plugin doesnt come with the free version? :sleepy: