Kong Gateway JWT backend protection
The Kong API Gateway is a powerful tool for managing traffic to your cluster. By using the [Kong JWT plugin], you can validate requests to your API to ensure they are authenticated.
Using Kong plugins
Using Kong plugins
This guide assumes you have already installed the Kong JWT plugin. Below is the configuration for using this plugin.
Step 1: Create a service
To create a service, run the following command:
curl -i -f -X POST http://localhost:8001/services \ --data "name=my-cool-service" \ --data "url=http://httpbin.org"
Step 2: Create a route on Kong
Next, create a route for your service:
curl -i -f -X POST http://localhost:8001/routes \ --data "service.id={my-cool-service's id}" \ --data "paths[]=/test"
Step 3: Add the JWT plugin to the route
Add the JWT plugin to the route:
curl -X POST http://localhost:8001/route/{route id}/plugins \ --data "name=jwt"
Step 4: Create the Kong consumer
To create a Kong consumer, use the REST API:
curl -d "custom_id=SOME_CONSUMER_ID" http://kong:8001/consumers/
Step 5: Copy the JWT public key from the Frontegg portal
- On the Frontegg portal Go to [ENVIRONMENT] ➜ Configurations ➜ Security ➜ JWT.
- Navigate to the JWT signature tab, copy the public key.
Step 6: Create a new RS256 JWT credential
Now, create an RS256 JWT credential using the copied public key:
curl -i -X POST http://localhost:8001/consumers/{consumer}/jwt \ -F "algorithm=RS256" \ -F "rsa_public_key=[THE-PUBLIC-KEY-FROM-THE-PORTAL]" \ -F "key=https://{workspace-url}.frontegg.com/" # the `iss` field
Issuer validations
Issuer validations
The configuration above validates that the issuer (iss claim) of the JWT is the Frontegg workspace domain. The iss claim validation is enabled by default in the Kong JWT plugin.
Testing
To test your configuration, call the test endpoint with a JWT signed by Frontegg:
curl -i http://localhost:8000/test \ -H "Host:example.com" \ -H "Authorization:Bearer <TOKEN-FROM-FRONTEGG>"