[plugin] Kong JWT to Backend API Providers

I think it would be nice to provide a layer of security to backend api providers besides mutual TLS. I want to develop it out as a plugin for the community.

Question for Kong developers is this - As someone new to making plugins do you believe that I can leverage the existing Kong JWT plugin for most of the functionality for generating a JWT and sending it to the backend? I think I also will be implementing a x509 cert in the claims of the JWT.

Any tips on how one might go about accomplishing it? Clone the JWT plugin folder and go from there?

Thanks,
Jeremy

3 Likes

Yes, definitely check out the jwt plugin as a starting point. In particular, while the jwt_parser.lua module is primarily designed for decoding tokens, it does include an encode function (which we use for generating tokens we use for testing the decode function).

Also, take a look at https://github.com/Kong/kong-plugin for an example of how to structure a plugin in a stand-alone repo.

Hope that helps!

2 Likes

(sorry if this is obvious!) Also consider our documentation on developing custom plugins for Kong

2 Likes

Hi Jeremy I am also looking for this feature plugin can u please post location, where we can find your plugin.

Thanks,
Shiva

Currently its on a private Enterprise git repo. Once we receive the thumbs up it will be exposed for all and I will update the topic here as well as make an announcement thread. Will be good to get feedback from other developers and the Kong dev’s on their thoughts. We like it as it meets many enterprise security needs with enabling backend API Provider teams.

Check if this fits your needs https://github.com/foodora/kong-plugin-jwt-crafter

2 Likes

This is nice, I plan on using the pub/priv RSA and I also am not trying to wrap it into being based on my consumers. The private key to sign the JWT will be Kong’s SSL private key and a subsequent public key so it will deviate from this a bit. Our plugin also does a SHA256 of the body and adds it as a claim in the JWT to prevent altering of the payload with downstream apps able to validate the signature so that the body goes unchanged in the event of an attack or MITM. But regardless you made a solid plugin!