kong 配置 jwt 认证

我们只演示在 services 上配置jwt认证。

service 开启 jwt 插件

#创建一个需jwt验证的服务 成功响应返回baidu
curl -x POST localhost:8001/services
-d "name=service.jwt"
-d "url=http://www.baidu.com"

#查看插件列表
curl -X GET localhost:8001/services/service.jwt/plugins

#开启jwt插件
curl -X POST localhost:8001/services/service.jwt/plugins
-d "name=jwt"

#查看jwt插件
curl -X GET localhost:8001/services/service.jwt/plugins/jwt

#删除jwt插件
curl -X DELETE localhost:8001/services/service.jwt/plugins/{jwt.id}

创建 route

service.jwt服务绑定route

curl -X POST localhost:8001/services/service.jwt/routes
-d "name=route.jwt"
-d "paths[]=/api/v1"

创建一个 consumer

curl -X POST localhost:8001/consumers \
-d "username=consumer.jwt"

{
    "custom_id": null,
    "created_at": 1553681695,
    "username": "consumer.jwt",
    "id": "2e34d380-ec48-4a0d-926f-6dd8696a7eca"
}

创建 consumer 的 jwt 凭证

可以指定算法algorithmiss签发者key,密钥secret,也可以省略,会自动生成。

curl -X POST localhost:8001/consumers/consumer.jwt/jwt \
-d "algorithm=HS256" \
-d "key=big_cat" \
-d "secret=uFLMFeKPPL525ppKrqmUiT2rlvkpLc9u"
//response
{
    "rsa_public_key": null,
    "created_at": 1553681782,
    "consumer": {
        "id": "2e34d380-ec48-4a0d-926f-6dd8696a7eca"
    },
    "id": "61ee520c-3387-42f0-8e5f-02e0dc34d3d4",
    "algorithm": "HS256",
    "secret": "uFLMFeKPPL525ppKrqmUiT2rlvkpLc9u",
    "key": "7Xc3L8TdFpU6kgPEeR4iqMAstqLewJSS"
}

查看 consumer jwt 凭证

curl -X GET localhost:8001/consumers/comsumer.jwt/jwt
// 这里我们创建了 2个 jwt 凭证
{
    "next": null,
    "data": [
        {
            "rsa_public_key": null,
            "created_at": 1553682659,
            "consumer": {
                "id": "2e34d380-ec48-4a0d-926f-6dd8696a7eca"
            },
            "id": "6966cec4-6d25-4642-983b-95e512eef608",
            "algorithm": "HS384",
            "secret": "WF3Ig85MgyGMZjvSCoKLOwOevZkD8jNG",
            "key": "big_cat"
        },
        {
            "rsa_public_key": null,
            "created_at": 1553681990,
            "consumer": {
                "id": "2e34d380-ec48-4a0d-926f-6dd8696a7eca"
            },
            "id": "e3d34707-0f4f-4c2d-ae54-25aaed6c9211",
            "algorithm": "HS256",
            "secret": "yBcPzjWsaW0dMquiWCOGlH2ILDQfJIya",
            "key": "wP7ZxrL4OgMVViwE8GYcaYq57cVa2IHL"
        }
    ]
}

jwt 下发

业务服务器根据kong生成的jwt凭证中的algorithm、key(iss)、secret进行token的演算和下发。请求鉴权接口需携带
Authorization: Bearer jwt进行请求。测试的话可以用 https://jwt.io 生成:

kong 配置 jwt 认证

请求带有jwt认证的服务的路由

curl -X GET localhost:8000/api/v1 \
-H 'Authorization: Bearer eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJiaWdfY2F0Iiwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMn0.8yO2FmP23u2sS3kq94B39uT23SU2WVNuslPTeSJaHfBLoCT4oNmFTODfHS3s6sot'
//返回了baidu首页
<html>
    <head>
        <script>
        location.replace(location.href.replace("https://","http://"));
    </script>
    </head>
    <body>
        <noscript>
            <meta http-equiv="refresh" content="0;url=http://www.baidu.com/">
        </noscript>
    </body>
</html>

否则

// 401
{
    "message": "Unauthorized"
}

相关推荐