JWT Firebase custom Kong plugins
Contents:
This plugin is basically to verify the JWT Firbase Token following the firebase doc What we need to run this plugin is just the firebase project name.
Plugin development by Kong
luarocks install https://github.com/hpsony94/kong-plugin-jwt-firebase/releases/download/1.0.0-1/kong-plugin-jwt-firebase-1.0.0-1.all.rock- By editting the kong.conf file
plugins = bundled, jwt-firebase
According to the firebase doc this plugin verifies the header, payload, and signature of the ID token.
- Verify that the alg is "RS256"
- Verify that the kid must correspond too one of the pubic key listed at https://www.googleapis.com/robot/v1/metadata/x509/[email protected]
- Verify that the exp must be in the future. (UNIX epoch)
- Verify that the aud must be your Firebase project ID
- Verify that the iss must be "https://securetoken.google.com/", where is the same project ID used for aud above.
- Verify that the sub must be non-empty string and must be the uid of the user or device. and Finally, ensure that the ID token was signed by the private key corresponding to the token's kid claim. Grab the public key from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] and use a JWT library to verify the signature.
#TODO : Let's write somethingThis is the example of using the JWT firebase plugin to verify JWT token in Firebase project id chatq-dev
- Create a service
$ curl -i -X POST localhost:8001/services \
--data "name=test" \
--data "url=http://httpbin.org"- Create a route
$ curl -i -X POST localhost:8001/services/test/routes \
--data "name=test" \
--data "paths[]=/test"- Add the JWT Firebase plugin to test route
$ curl -i -X POST localhost:8001/routes/test/plugins \
--data "name=jwt-firebase" \
--data "config.project_id=chatq-dev"Now you send the requests throuhgh, only tokens signed by Firebase project "chatq-dev" will work:
$ curl -ik -X GET \
--url https://localhost:8443/test \
--header 'Authorization: Bearer <token-id> 'This plugin also supports legacy authenticaion without Bearer
$ curl -ik -X GET \
--url https://localhost:8443/test \
--header 'Authorization: <token-id> 'Detection of custom claim in token
TBD
Create the Lua rock in current directory:
$ luarock make
$ luarocks pack kong-plugin-jwt-firebase- Kong: Plugin Development Guide
- Kong: Development
- Kong: Test Suite
- Kong: Configuration
- Luarocks: Kong search
- Luarocks: Best Practices for Makefiles
- Luarocks: Creating a rock
Copyright 2016-2019 Kong Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
kubectl create configmap kong-plugin-jwt-firebase --from-file=jwt-firebase -n default
echo " kind: KongPlugin metadata: name: CUSTOM_NAME_HERE-jwt-firebase config: project_id: "YourId" plugin: jwt-firebase " | kubectl apply -f -