Skip to content

portothree/kong-custom-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

other

other

 
 

README.md

README.md

 
 

access.lua

access.lua

 
 

handler.lua

handler.lua

 
 

renovate.json

renovate.json

 
 

schema.lua

schema.lua

 
 

Repository files navigation

Custom Authentication with Kong

gorilla

The problem

Assume you have an in-house authentication which has already been used by your users. It can issue and validate JWT tokens and manage ACL but you still see yourself building custom code in each microservice to integrate with the custom auth service.

This solution

Leverage Kong with a custom plugin to centralize the integration and allow each microservice to focus on the business logic.

Installation

  • Download or clone the repository under the directory /usr/local/share/lua/5.1/plugins.
/usr/local/share/lua/5.1/kong/plugins
    |-- custom-auth
	|-- schema.lua
	|-- handler.lua
	|-- access.luaa
  • Configure Kong to load the plugin by adding custom-auth to the plugins property of your kong.conf (usually in /etc/kong/kong.conf) or via KONG_PLUGINS environment variable.
plugins = custom-auth
  • If using Kong Enterprise you should be able to find the custom plugin at the bottom of the plugins page.
  • If using a declarative configuration see the example below of how to enable this plugin in a service.
{
    "_format_version": "2.1",
    "_transform": true,
    "services": [
	{
	    "name": "example-service",
	    "url": "http://example.com",
	    "routes": [
		{
		    "name": "example-route",
		    "paths": ["/"]
		}
	    ],
	    "plugins": [
		{
		    "name": "custom-auth",
		    "config": {
			"validation_endpoint": "http://example.com/auth/validate/token",
			"token_header": "Authorization",
			"ssl_verify": true,
		    },
		},
	    ],
	},
    ],
    "consumers": [
	{
	    "username": "example-user"
	},
    ],
}

Configuration

  • config.validation_endpoint: your auth endpoint that check if the token passed in the Authorization header (or the one defined in token_header) is valid.
  • config.token_header: the name of the header where the token will be sent (defaults to Authorization). If the token is not found in the defined header, the plugin will look for a cookie named token and pass it as a Authorization header to your auth service.
  • config.ssl_verify: whether to perform SSL verification (see https://github.com/openresty/lua-nginx-module#tcpsocksslhandshake for details)

Development

  • schema.lua: Schema of the plugin configuration fields.
  • handler.lua: Interface declaring functions to run in the lifecycle of a request/connection.
  • accecss.lua: This file is invoked by handler.lua and has the actual authentication logic.

Other alternatives

About

Custom authentication with Kong

Topics

authentication authorization kong kong-plugin kong-auth

Resources

Readme
Activity

Stars

15 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages