Skip to content
/ kong-go-plugin-jwt-kc Public

A Go plugin for Kong Gateway to validate (JWT-based) access tokens utilizing JWKS and .well_known discovery.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ch-braun/kong-go-plugin-jwt-kc

BranchesTags

Repository files navigation

kong-go-plugin-jwt-kc

A Kong Go plugin to validate access tokens issued by Keycloak. This plugin is inspired by the Lua-based kong-plugin-jwt-keycloak. There are, however, some differences.

Features

  • Validates signed JWT access tokens
  • Verifies the token signature using the public key retrieved from the .well-known endpoint
  • Supports multiple trusted issuers
  • Supports multiple public keys per issuer (e.g., for key rotation) including caching
  • Authorization based on the token's claims
    • scope
    • realm_access
    • resource_access
  • Consumer matching based on the token
  • Supports multiple signing algorithms (RS*, ES*)

Configuration

Global plugin configuration

The plugin's global behavior can be configured using the following properties:

Property Description Default
KONG_PLUGIN_CONFIG_JWT_GO_JWKS_CACHE_EXPIRATION The expiration time of the JWKS cache in seconds 6 * 3600
KONG_PLUGIN_CONFIG_GO_JWT_KC_SKIP_TLS_VERIFY Skip the verification of the TLS certificates false

Instance-specific plugin configuration

A plugin instance can be configured using the following properties. Please note that multiple values / lists are comma-separated:

Property Description Default
uri_param_names The names of the query parameters that may contain the access token ""
cookie_names The names of the cookies that may contain the access token ""
header_names The names of the headers that may contain the access token "authorization"
claims_to_verify The claims to verify "exp"
anonymous If a kong consumer uuid is set, the plugin will use this consumer for requests without a valid token ""
run_on_preflight If the plugin should run on preflight requests false
maximum_expiration The maximum remaining expiration time of the token in seconds 0
algorithms The supported signing algorithms "RS256,ES256"
allowed_iss The allowed issuers ""
well_known_template The template for the well-known endpoint "%s/.well-known/openid-configuration"
scopes The required scopes ""
roles The required roles ""
realm_roles The required realm roles ""
client_roles The required client roles ""
consumer_match Should the plugin try to match the consumer based on the token false
consumer_match_claim The claim to use for the consumer matching "azp"
consumer_match_ignore_not_found Ignore consumer not found errors false

About

A Go plugin for Kong Gateway to validate (JWT-based) access tokens utilizing JWKS and .well_known discovery.

Topics

golang jwt kong-plugin kong-gateway jwks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.0.0 Latest
Nov 11, 2024
+ 1 release

Packages

No packages published

Languages