Hi there,
This is my first question/issue here so let me know if it misses some details.
We start to use Kong as an Ingress Controller but I have a small issue around the Kong plugin JWT
Here is what I have currently:
2 separate apps on the same K8s cluster (separated by namespaces)
KongPlugin JWT on the Ingress for both apps
KongConsumer and KongCredential for each namespace
My routes are protected (401 when I access the route without any token)
My issue:
On both apps, The tokens are checked and authenticated with both consumers. It’s an issue as I want to validate the token only with the consumer corresponding to the current namespace (different signature key per namespace).
So what I tried to do is: Adding a consumerRef to my KongPlugins to specify which credentials to use when validating the token.
But it doesn’t work. The plugin is not attached to a specific consumer and no errors show up in the kong ingress controller.
Do we have limitations around this consumerRef property? Do I miss something on how to connect a plugin on a specific namespace to specific credentials?
Hi @mativillagra, thanks for your answer and your time.
I have the same configuration and it works fine when you only have one KongPlugin JWT and one KongConsumer (with credentials).
What I try to do:
If I have a route A and a route B, I would like to apply a KongPlugin JWT jwta on route A and a KongPlugin JWT jwtb on route B. And I want jwta to be linked to a specific KongConsumer kca and jwtb linked to kcb.
This way I cannot access route A if I have a token signed with credentials linked to KongConsumer kcb.
Current Behaviour:
If I apply 2 different plugins JWT, then I don’t know how to specify that jwta should check the token signature ONLY with kca credentials and that jwtb should check the token signature ONLY with kcb credentials. So now I can access route A with a token signed with a private RS256 key corresponding to kcb credentials => Unwanted behaviour.
This is correct.
It is not possible in Kong to limit a JWT plugin execution based on a consumer, since it’s the plugin which determines which consumer is present.
What you’re looking for is ACL plugin in Kong:
You can associate each consumer with an ACL group, and then allow access to the consumer of a particular group based on the namespace.