Skip to content
/ kong-plugin-jwt-auth Public

Kong plugin that performs authorization based on custom role claim in JWT

License

MIT license
9 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bjwschaap/kong-plugin-jwt-auth

BranchesTags

Repository files navigation

JWT-Auth Icon

kong-plugin-jwt-auth

Kong plugin that performs authorization based on custom role claim in JWT

How to use

This plugin is typically used on routes to authorize access to a specific route by checking the roles claimed in the JWT.

This plugin is designed to work alongside the standard JWT plugin provided by Kong. The default Kong JWT plugin will validate the JWT and authenticate the consumer. This plugin will use the validated token from the Nginx context and check a custom roles claim in the JWT to contain at least one of the roles given in the plugin configuration.

Configuration parameters

Parameter Type Optional Default Description
roles_claim_name string X roles Name of the claim/attribute in the JWT that contains the roles to check
roles array - List of 1 or more roles that are allowed to use the resource (route, service, etc)
policy string X any Determines if at least one, or all roles should match. One of: any or all

Example: enabling the plugin on a route

Configure this plugin on a route with:

$ curl -X POST http://kong:8001/routes/{route_id}/plugins \
    --data "name=jwt-auth" \
    --data "conf.roles_claim_name=Groups" \
    --data "conf.roles=role1,role2,role3" \
    --data "conf.policy=all

JWT roles claim

The roles claim in the JWT can be either an array or a (optionally comma-separated) string.

example 1

Multiple roles in a claim called Groups as a single comma-separated string:

{
    "iss": "rVV0Atsoj7QwSX803D4sbBvFRu2EoTLo",
    "iat": 1539775565,
    "exp": 1571311565,
    "aud": "www.example.com",
    "sub": "[email protected]",
    "Groups": "A,B,C,D"
}

example 2

Single role in a claim called perm as a single simple string:

{
    "iss": "rVV0Atsoj7QwSX803D4sbBvFRu2EoTLo",
    "iat": 1539775565,
    "exp": 1571311565,
    "aud": "www.example.com",
    "sub": "[email protected]",
    "perm": "read"
}

example 3

Multiple roles in a claim called roles as an array of strings:

{
    "iss": "rVV0Atsoj7QwSX803D4sbBvFRu2EoTLo",
    "iat": 1539775565,
    "exp": 1571311565,
    "aud": "www.example.com",
    "sub": "[email protected]",
    "roles": [
        "Editor",
        "Viewer",
        "Admin"
    ]
}

More information

Work in progress

This plugin is an exercise. Please don't use in production unless you know what you are doing. Any contributions to make this plugin production grade are very welcome!

About

Kong plugin that performs authorization based on custom role claim in JWT

Topics

nginx lua api-gateway kong

Resources

Readme

License

MIT license
Activity

Stars

9 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages