News New Look, Same Vision: KrakenD’s Website Redesign

You are viewing a previous version of KrakenD Enterprise Edition (v1.3), go to the latest version

Document updated on May 7, 2021

Token validation with multiple Identity Providers

This plugin allows KrakenD to validate tokens issued by multiple Identity Providers.

The default behavior of KrakenD allows you to validate JWT tokens using a single Identity Provider or tenant per endpoint. There are times when tokens arriving at an endpoint originate in different providers or different tenants. This is especially true in multi-tenant scenarios, or where there is an ongoing migration, or when different systems converge into the gateway. The KrakenD krakend-jwk-aggregator allows you to alleviate this issue.

The plugin appends all the keys found in the different origins and offers a unique URL http://localhost:9876 that includes the multiple sources. The plugin does not have any caching (because endpoints do).

Configuration

The configuration is straightforward. You only need to include the following lines:

{
    "version": 2,
    "plugin": {
        "pattern":".so",
        "folder": "/opt/krakend/plugins/"
    },
    "extra_config": {
        "github_com/devopsfaith/krakend/transport/http/server/handler": {
            "name": ["krakend-jwk-aggregator", "some-other-plugin-here" ],
            "krakend-jwk-aggregator":{
                "port": 9876,
                "origins":[
                    "https://jwk1.tld/jwk.json",
                    "http://foo.bar/public_keys"
                    ]
            }
        }
    }
}
  • port (integer): The port of the local server doing the aggregation. The port is only accessible within the gateway machine using localhost, and it’s never exposed to the external network. Choose any port that is free in the system.
  • origins (list of URLs): The list of all JWK URLs recognized as valid Identity Providers by the gateway.

Endpoint’s configuration

In addition to the configuration above, the endpoints need to point to the new service instead of a particular JWK URL. To do that, you have to reference it in the jwk-url as follows and set the disable_jwk_security flag to true (as the connection is internal and does not need TLS validation):

{
    "endpoint": "/protected/resource",
    "extra_config": {
        "github.com/devopsfaith/krakend-jose/validator": {
            "alg": "RS256",
            "jwk-url": "http://localhost:9876",
            "disable_jwk_security": true
        }
    },
    "backend": [
        {
        "url_pattern": "/"
        }
    ]
}
Scarf

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.

See all support channels