I am getting started with Kong. I successfully did a simple authentication system with Oauth2 plugin, but now I have some troubles with the JWT one.
I searched a lot but there's lack of documentation and resources about this topic.
I followed the guide here: https://getkong.org/plugins/jwt/
I created a consumer with his JWT credentials:
{
"secret": "6b965bcbf48a4ea7a170bf56557e14c1",
"id": "5587b664-c8b5-4941-95fe-f6e03c319fa4",
"algorithm": "HS256",
"created_at": 1500473323000,
"key": "6fad7730b5134fbb9d74d356d838c9b4",
"consumer_id": "459cc6ab-fd62-4510-80cc-4eb48e5326a3"
}
Then I opened https://jwt.io/ and many other tools to generate a key. Anyways here the data I entered:
Header
{
"typ": "JWT",
"alg": "HS256"
}
Payload
{
"iss": "6fad7730b5134fbb9d74d356d838c9b4"
}
Verify signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
6b965bcbf48a4ea7a170bf56557e14c1
)
The tool returns a key I use then as Authorization header:
Authorization: Bearer <token>
Unfortunately the response from the server is always 401:
{
"error_description": "The access token is invalid or has expired",
"error": "invalid_token"
}
If I send a broken token or a token generated from wrong data, I receive a different error message.
What am I doing wrong here?
Solved.
Basically doing more tests on the same API, I applied two plugins (Oauth2 and JWT), creating then a conflict.
As I said, I'm just getting started, so for the newbies, be aware to not use more authentications plugins on the same API.