JWT Signer: Enable signing or re-signing tokens - Plugin

Enable signing or re-signing tokensv3.12+

Enables signing or re-signing access and channel tokens. access_token_upstream_header and channel_token_upstream_header are used to specify the header names where the signed tokens are passed to the upstream.

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: jwt-signer
    config:
      channel_token_signing: true
      access_token_signing: true
      access_token_upstream_header: Authorization:Bearer
      channel_token_upstream_header: Another_Authorization_Header
      access_token_signing_algorithm: RS256
      channel_token_signing_algorithm: ES256

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "jwt-signer",
      "config": {
        "channel_token_signing": true,
        "access_token_signing": true,
        "access_token_upstream_header": "Authorization:Bearer",
        "channel_token_upstream_header": "Another_Authorization_Header",
        "access_token_signing_algorithm": "RS256",
        "channel_token_signing_algorithm": "ES256"
      }
    }
    '

Copied!

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: jwt-signer
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  channel_token_signing: true
  access_token_signing: true
  access_token_upstream_header: Authorization:Bearer
  channel_token_upstream_header: Another_Authorization_Header
  access_token_signing_algorithm: RS256
  channel_token_signing_algorithm: ES256
plugin: jwt-signer
" | kubectl apply -f -

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: jwt-signer
    service: serviceName|Id
    config:
      channel_token_signing: true
      access_token_signing: true
      access_token_upstream_header: Authorization:Bearer
      channel_token_upstream_header: Another_Authorization_Header
      access_token_signing_algorithm: RS256
      channel_token_signing_algorithm: ES256

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "jwt-signer",
      "config": {
        "channel_token_signing": true,
        "access_token_signing": true,
        "access_token_upstream_header": "Authorization:Bearer",
        "channel_token_upstream_header": "Another_Authorization_Header",
        "access_token_signing_algorithm": "RS256",
        "channel_token_signing_algorithm": "ES256"
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: jwt-signer
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  channel_token_signing: true
  access_token_signing: true
  access_token_upstream_header: Authorization:Bearer
  channel_token_upstream_header: Another_Authorization_Header
  access_token_signing_algorithm: RS256
  channel_token_signing_algorithm: ES256
plugin: jwt-signer
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=jwt-signer

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: jwt-signer
    route: routeName|Id
    config:
      channel_token_signing: true
      access_token_signing: true
      access_token_upstream_header: Authorization:Bearer
      channel_token_upstream_header: Another_Authorization_Header
      access_token_signing_algorithm: RS256
      channel_token_signing_algorithm: ES256

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "jwt-signer",
      "config": {
        "channel_token_signing": true,
        "access_token_signing": true,
        "access_token_upstream_header": "Authorization:Bearer",
        "channel_token_upstream_header": "Another_Authorization_Header",
        "access_token_signing_algorithm": "RS256",
        "channel_token_signing_algorithm": "ES256"
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: jwt-signer
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  channel_token_signing: true
  access_token_signing: true
  access_token_upstream_header: Authorization:Bearer
  channel_token_upstream_header: Another_Authorization_Header
  access_token_signing_algorithm: RS256
  channel_token_signing_algorithm: ES256
plugin: jwt-signer
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=jwt-signer

Copied!

kubectl annotate -n kong ingress  konghq.com/plugins=jwt-signer

Copied!

JWT Signer

Enable signing or re-signing tokensv3.12+

Set up the plugin

Help us make these docs great!

Still need help