We have a web app that is publicly available to access over the internet. This app runs on a web server that contains the monolithic set of APIs that the app could call (including user authentication). We want to expose an "API" (ex// gather data) for users to query a limited set of data about their account from their own code. This will allow them to write custom dashboards with the data we are collecting for them.
With this new API, API calls are now able to come from somewhere other than our web-ap. So we want to set up an API gateway to manage the request "load". For example, the gateway can limit a user's requests to once every ten minutes.
The end user will be given an API key to make requests through Kong and then Kong will carry out the API query for them using an HTTP GET/POST to the web server. Since our web-server is publicly available we need a way to verify that the request for the API (gather data) is only coming from Kong. I've done some research into JWTs and seems like a possible approach. Would it make sense to simply give the Kong server its own JWT issued by the web-server? Then any GET/POST to the web-server that doesn't have the Kong JWT are rejected.
I know this might not be the most logical setup for an API gateway, normally you would have microservices on the same private network as Kong communicating with each other and wouldn't necessarily need to verify the authenticity of the requests coming in as Kong would be handling that. However, given our current setup would the JWT approach make the most sense?
So you want your Kong instance to communicate with your upstream server with some secret that only you know, so you can be certain that the traffic to your upstream server is coming from your Kong instance?
Sure thing! There are a few ways to do that. You could use https://getkong.org/plugins/request-transformer/ to add a header that contains some secret string (and then potentially use https://getkong.org/plugins/response-transformer/ to remove that header before responding to the client).
Really, it depends on what your upstream server supports in terms of validation of requests.
You also mention giving your end-users API keys - I'm hopeful you'll use https://getkong.org/plugins/key-authentication/ to do that.