Validate the subject claim in a channel tokenv3.12+
Validates that the subject present in a channel token is in the allowed list.
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: jwt-signer
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"verify_channel_token_subject": true,
"channel_token_subject_claim": [
"sub"
],
"channel_token_subjects_allowed": [
"allowed_sub1",
"allowed_sub2"
]
}
}
'
Copied!
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: jwt-signer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
plugin: jwt-signer
" | kubectl apply -f -
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: jwt-signer
service: serviceName|Id
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"verify_channel_token_subject": true,
"channel_token_subject_claim": [
"sub"
],
"channel_token_subjects_allowed": [
"allowed_sub1",
"allowed_sub2"
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt-signer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
plugin: jwt-signer
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=jwt-signer
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: jwt-signer
route: routeName|Id
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"verify_channel_token_subject": true,
"channel_token_subject_claim": [
"sub"
],
"channel_token_subjects_allowed": [
"allowed_sub1",
"allowed_sub2"
]
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt-signer
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
verify_channel_token_subject: true
channel_token_subject_claim:
- sub
channel_token_subjects_allowed:
- allowed_sub1
- allowed_sub2
plugin: jwt-signer
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=jwt-signer
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=jwt-signer
Copied!