kong-upstream-jwt

A plugin for Kong which adds a signed JWT to HTTP Headers of outgoing requests

Uploader

Optum_Ross

License

Apache 2.0

Homepage

github.com/Optum/kong-upstream...

Downloads

20,085
$ luarocks install kong-upstream-jwt

API Providers require a means of cryptographically validating that requests they receive were: A. proxied by Kong, and B. not tampered with during transmission from Kong -> API Provider. This token accomplishes both as follows:

1. **Authentication** & **Authorization** - Provided by means of JWT signature validation. The API Provider will validate the signature on the JWT token (which is generating using Kong's RSA x509 private key), using Kong's public key. This public key can be maintained in a keystore, or sent with the token - provided API providers validate the signature chain against their truststore.
2. **Non-Repudiation** - SHA256 is used to hash the body of the HTTP Request Body, and the resulting digest is included in the `payloadhash` element of the JWT body. API Providers will take the SHA256 hash of the HTTP Request Body, and compare the digest to that found in the JWT. If they are identical, the request remained intact during transmission.

Versions

1.4-02 years ago3,750 downloads
1.3-02 years ago(revision: 2)1,006 downloads
1.2-15 years ago(revision: 3)7,661 downloads
1.1-15 years ago(revision: 3)345 downloads
1.0-15 years ago334 downloads
0.7-06 years ago2,475 downloads
0.6-06 years ago580 downloads
0.5-46 years ago1,386 downloads
0.4-47 years ago927 downloads
0.3-77 years ago283 downloads
0.3-67 years ago335 downloads
0.3-57 years ago57 downloads
0.3-47 years ago75 downloads
0.3-37 years ago44 downloads
0.3-27 years ago71 downloads
0.3-17 years ago178 downloads
0.2-17 years ago62 downloads
0.1-17 years ago44 downloads

Manifests

root
Home · Search · Root Manifest · Manifests · Modules · Changes · About
@luarocksorg · 6ae6d4a · Source · Issues