Need to have anonymous routing through jwt global plugin urgently

Hi there,

I have been using Kong db-less 1.4.1, runing on Kubernetes (OpenShift)
I have configured (enabled) JWT plugin as global to be used for all rest APIs behind the Kong but I also need to have anonymous in the same plugin as exceptions, I created the jwt plugin by below yaml

apiVersion: configuration.konghq.com/v1
config:
anonymous: “this is an example of consumer_id”
kind: KongPlugin
metadata:
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/name: kong
global: ‘true’
name: global-jwt
namespace: iot-kong
plugin: jwt

Moreover I have also created “KongConsumer” and “KongCredential” , this plugin works perfectly but when I add anonymous in this configuration, it doesn’t work anymore

Please do me a favor and send me an practical example to solve my problem

It’s too urgent

BR,
//Hamed

Please use username instead of ID of the consumer for the anonymous property.

Thanks a lot for quick reply.

I have changed it like what you said but I got {“message”:“An unexpected error occurred”} from kong

But below has happened inside the container

2020/01/28 09:10:13 [error] 24#0: *9190992 [kong] handler.lua:261 [jwt] failed to get from node cache: [off] invalid primary key: ‘{id=“expected a valid UUID”}’,

Make sure you are using Kong 1.4+, you already mentioned that.
Can you share the KongPlugin, KongConsumer resources that you are using?

I’m pretty sure about Kong version 1.4.1
I have two different consumers

1. anonymous-consumer as below :

apiVersion: configuration.konghq.com/v1
credentials:

• anonymous-apikey
  kind: KongConsumer
  metadata:
  clusterName: ‘’
  labels:
  app.kubernetes.io/instance: kong
  app.kubernetes.io/managed-by: Tiller
  app.kubernetes.io/name: kong
  name: anonymous-consumer
  namespace: iot-kong
  selfLink: >-
  /apis/configuration.konghq.com/v1/namespaces/iot-kong/kongconsumers/anonymous-consumer
  uid: a47df977-3f4a-11ea-a579-0050568cabd9
  username: anonymous-consumer

2. Kong consumer as below :

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
clusterName: ‘’
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: kong
name: kong
namespace: iot-kong
selfLink: >-
/apis/configuration.konghq.com/v1/namespaces/iot-kong/kongconsumers/kong
uid: 24d323c2-12c0-11ea-a579-0050568cabd9
username: kong

The (1) has been used for make an anonymous way inside the global Kong JWT plugin and the (2) has been used for Kong JWT plugin itself

We didn’t use to have anonymous consumer before desiring
global kong jwt plugin has to have anonymous way of insecure routing

You can find Kong JWT plugin as follows :

apiVersion: configuration.konghq.com/v1
config:
anonymous: 24e151a9-14c0-11ea-a539-2050568cabd6
claims_to_verify:
- exp
kind: KongPlugin
metadata:
clusterName: ‘’
labels:
app.kubernetes.io/instance: kong
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: kong
global: ‘true’
name: global-jwt
namespace: iot-kong
selfLink: >-
/apis/configuration.konghq.com/v1/namespaces/iot-kong/kongplugins/global-jwt
uid: 24e151a9-12c0-11ea-a579-0050568cabd9
plugin: jwt

Please give me a hand if it can be used

Thanks in advance
//Hamed

You should use the username of the consumer in this field. This should be anonymous-consumer based on your KongConsumer definitions above.

I have changed it like what you said but I got {“message”:“An unexpected error occurred”} from kong

But below has happened inside the container

2020/01/28 09:10:13 [error] 24#0: *9190992 [kong] handler.lua:261 [jwt] failed to get from node cache: [off] invalid primary key: ‘{id=“expected a valid UUID”}’,

This probably is a bug. Can you open a Github issue?

To be honest, I’m really busy, if it’s possible do it by yourself

This is already fixed https://github.com/Kong/kong/issues/5551.

Please wait for 2.0.2 to be released, which will contain this fix. We plan on having the release in next couple of weeks.

Thank you for quick reply
Sounds great

Applying username as value of anonymous has no problem in 2.0.2 but the actual functionality of this global doesn’t work properly
when I turn the jwt plugin global and add anonymous : username then all api can be invoked with no security, I expected to give --header “apiKey = something as key” to the request to let this specific request come in with no token otherwise other requests should have token as a must
We’re still stuck in this plugin usage

If you always want the API calls to be authenticated then please don’t use anonymous field.

Anonymous field makes it possible to have authenticated and unauthenticated calls to a service.

I want to have authenticated requests by default but also have some exceptions for example if you are exposing the token provider API behind the Kong , it has to be Unauthenticated request because you will ask for getting token but all the other APIs behind the Kong have to be Authenticated requests by token

/iot/api/token (Unauthenticated)
/iot/api/billing (Authenticate)
/iot/api/invoice (Authenticate)

What’s the practical solution ? could you please give me an applicable jwt global plugin configuration with anonymous in it and a client request example to show how the anonymous request has to look like ?

You don’t need anonymous consumer in this case.

Create a /iot/api route in Kong with the JWT plugin enabled on it.
Create a more specific /iot/api/token route in Kong and don’t enable the JWT plugin on it.
That should be it.