Hi Kong Team!
Would like to use Kong API Gateway for my microservices. API requests will be sent with an access token generated by Cognito in the headers of the request like so:
Bearer
How can we validate a JWT token generated by Amazon Cognito using the JWT Plugin. Looking to validate the token from Cognito and possibly grab its attributes /claims like user group, user email.
Thanks so much!
You probably need to build your own plugin to validate the token. The built-in jwt plugin is for a custom JWT workflow. There’s an enterprise plugin that does this, but as I said, it’s under enterprise license.
For building your own using go libraries, you can check out these:
“github.com/MicahParks/keyfunc/v3”
“github.com/golang-jwt/jwt/v5”
Basically, you use the golang-jwt to decode the token and keyfunc to get and use the jwks info to validate the token and use as input for the jwt.Parse workflow.
Thanks @lays147.
The shared links are broken (404).
I’ve found this repository GitHub - lendtech/jwks-aware-oauth-jwt-access-token-validator: Plugin for Kong 3.x+ that authenticates API requests by means of bearer JWT tokens whose signatures can be verified by using a JWK fetched from a remote JWKS endpoint. that looks like be what I need.
Great them. Just be careful on using those plugins because of the maintenance and security patching.
The links work if you remove (v3 and v5) from the end of each one.