Sessions and key rotation

Hi everyone. I wanted to get some ideas of how other Kong users are handling key rotation and session management. I have a specific need to store the JWT we use for access to our services on the client browser. Currently I do this using a session inside a Node Express server so the user only gets a session id token.

Now what I was wondering is If it would be a good idea to rotate consumer keys inside Kong every time a user logs out or their session expires.

What’s the prevailing opinion of accessing Kong’s admin API from inside the app it proxies?

We are indeed doing key rotation regarding oauth2 client creds and JWT secret keys. Only once yearly as consumers hate those sorts of requirements hah.

Is your use case more OpenID Connect specific? Many of these patterns using some external identity provider have built in logic that already sort of handle the session renewal/logouts expiry stuff for you. We are doing OIDC and sort of cache key->value{value being the user Info returned}, key being an encrypted version of the access token for _ amount of time in the users session, we are working on a /logout that deletes that cache entry within Kong as well, is this sort of what you are referring to? Its not actually deleting/rotating the keys/secrets per say as I don’t see a need there but rather the active sessions or cached values those sessions were tied to.

As for how to setup access to the Kong Admin API from an App why not make a proxy to your Admin API, then protect that Proxy with like HS256 JWT and have your app progrmatically prepare a JWT Authorization: Bearer **** header to handle secure transaction calls to the API(its what we do :slight_smile: ) .

I think you and I are doing very similar ideas. We don’t have our identity software figured out just yet so I’m just prototyping dummy solutions.

The issue I run into with tokens is that without a way to invalidate then a user can’t effectively log out. Meaning a JWT could be reused. I was wondering about the feasibility of inserting/deleting the JWT for a user in Kong when their session begins and ends. That would allow us to not have to track sessions in our web app.

From what I can determine you either keep sessions or you need a way to invalidate tokens server-side.

I’m interested to here more of your thoughts since we seem to be going down the same road.

Thanks!