Remove JWT plugin added globally

#1

Hi guys,

I am following these step by step instructions from the documentation to set up the jwt plugin and auth0.

However, I have added the plugin at a global level and now when I try to make a request to create a Consumer with the Auth0 public key my request is unauthorized.

What is the best way to remove the jwt plugin since now I can not seem to figure out how to do it through the kong admin api?

I would really appreciate your help since I have been spending the past couple days trying to figure this out.

0 Likes

#2

You should be able to remove this plugin using the Delete Plugin method. See https://docs.konghq.com/1.0.x/admin-api/#delete-plugin. Then you can add it again at the correct level.

1 Like

#3

Thanks for your response,

I would have expected to work like that but in my scenario, I add the JWT plugin through a POST request at url/plugins and the plugin is added successfully.

However, when I try to make any other requests like url/status I get “message”: “Unauthorized”. It looks like the active JWT plugin locks me out of making any other requests including removing the plugin.

Do you know why this behavior happens?

0 Likes

#4

Hi,
How do you access to the admin API ? Directly (:8001) or did you proxy the admin API to access it from another host ?

1 Like

#5

That’s very strange. The JWT plugin would only be applied to routes that are configured in Kong (i.e. the admin API shouldn’t be affected). So, I would guess that @tr00mb is on the money here. Are you accessing the admin API directly (via port 8001 or whatever you have it configured as) or have you gone the route of securing the admin API so that you proxy the requests to it via Kong? If you are proxying the requests then you either need to add the JWT credentials to the delete request or you can open up access to the admin API again by configuring admin_listen = 0.0.0.0:8001, delete the plugin via a direct call to the API and then secure the API once again.

1 Like

#6

Thank you so much guys for your time to help me on this.

I use https://github.com/heroku/heroku-kong on a heroku dyno and as they mention it the documentation i use this url https://$APP_NAME.herokuapp.com/kong-admin to connect to the admin (and I pass the apikey in the header).

0 Likes

#7

Hi,
Looking at https://github.com/heroku/heroku-kong , it appears that kong-admin is a route from a service which target the Admin API (localhost:8001 where kong is deployed).

Having kong admin listener configured to 0.0.0.0:8001 is a way protecting the Admin API from external call.

Setting up a route to this Admin API, allows ,at the same time, giving access to the Admin API and controlling this access (the same way that you can control access to any other API)
In the heroku deployment, a route is created to access the Admin API, and it is ‘secured’ by an API Key.

By adding the JWT plugin globally, you secured also this particular access to the Admin API. I cannot see how to remove it as you have no other access to the Admin API (because you are not able to connect to the server where kong is deployed).

1 Like

#8

Thanks! That makes sense. Do you think I could remove it by connecting to the admin console on the heroku server? https://github.com/heroku/heroku-kong#admin-console

0 Likes

#9

Yes it should work
Once connected, following ADMIN heroku page, you will be able to perform the delete plugin proposed by @onematchfox

In summary
heroku run bash --app $APP_NAME
bin/background-start
curl http://$KONG_ADMIN_LISTEN/plugins
From there you should be able to retrieve the id of you jwt plugin
And finally curl -X DELETE http://$KONG_ADMIN_LISTEN/plugins/{id}

I have not tested the commands (you might have to update them) but I tested that I had access to the Admin API in the console.

2 Likes

#10

Thanks! I will have a look into it. Until then I will mark your answer as the solution.

0 Likes