Basic configuration examples
The following examples provide some typical configurations for enabling
the jwt-signer
plugin on a
service.
Make the following request:
curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"access_token_introspection_scopes_claim": [
"scope"
]
}
}
'
Replace SERVICE_NAME|ID
with the id
or name
of the service that this plugin configuration will target.
First, create a KongPlugin resource:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt-signer-example
plugin: jwt-signer
config:
access_token_introspection_scopes_claim:
- scope
" | kubectl apply -f -
Next, apply the KongPlugin
resource to an ingress by annotating the service
as follows:
kubectl annotate service SERVICE_NAME konghq.com/plugins=jwt-signer-example
Replace SERVICE_NAME
with the name of the service that this plugin configuration will target.
You can see your available ingresses by running kubectl get service
.
Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as aKongClusterPlugin
instead ofKongPlugin
.
Add this section to your declarative configuration file:
plugins:
- name: jwt-signer
service: SERVICE_NAME|ID
config:
access_token_introspection_scopes_claim:
- scope
Replace SERVICE_NAME|ID
with the id
or name
of the service that this plugin configuration will target.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "kpat_YOUR_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_jwt_signer" "my_jwt_signer" {
enabled = true
config = {
access_token_introspection_scopes_claim = ["scope"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
The following examples provide some typical configurations for enabling
the jwt-signer
plugin on a
route.
Make the following request:
curl -X POST http://localhost:8001/routes/{routeName|Id}/plugins \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"access_token_introspection_scopes_claim": [
"scope"
]
}
}
'
Replace ROUTE_NAME|ID
with the id
or name
of the route that this plugin configuration will target.
First, create a KongPlugin resource:
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: jwt-signer-example
plugin: jwt-signer
config:
access_token_introspection_scopes_claim:
- scope
" | kubectl apply -f -
Next, apply the KongPlugin
resource to an ingress by annotating the ingress
as follows:
kubectl annotate ingress INGRESS_NAME konghq.com/plugins=jwt-signer-example
Replace INGRESS_NAME
with the name of the ingress that this plugin configuration will target.
You can see your available ingresses by running kubectl get ingress
.
Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as aKongClusterPlugin
instead ofKongPlugin
.
Add this section to your declarative configuration file:
plugins:
- name: jwt-signer
route: ROUTE_NAME|ID
config:
access_token_introspection_scopes_claim:
- scope
Replace ROUTE_NAME|ID
with the id
or name
of the route that this plugin configuration will target.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "kpat_YOUR_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_jwt_signer" "my_jwt_signer" {
enabled = true
config = {
access_token_introspection_scopes_claim = ["scope"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
A plugin which is not associated to any service, route, consumer, or consumer group is considered global, and will be run on every request.
- In self-managed Kong Gateway Enterprise, the plugin applies to every entity in a given workspace.
- In self-managed Kong Gateway (OSS), the plugin applies to your entire environment.
Read the Plugin Reference and the Plugin Precedence sections for more information.
The following examples provide some typical configurations for enabling
the Kong JWT Signer
plugin globally.
Make the following request:
curl -X POST http://localhost:8001/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "jwt-signer",
"config": {
"access_token_introspection_scopes_claim": [
"scope"
]
}
}
'
Create a KongClusterPlugin resource and label it as global:
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: <global-jwt-signer>
annotations:
kubernetes.io/ingress.class: kong
labels:
global: "true"
config:
access_token_introspection_scopes_claim:
- scope
plugin: jwt-signer
Add a plugins
entry in the declarative configuration file:
plugins:
- name: jwt-signer
config:
access_token_introspection_scopes_claim:
- scope
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "kpat_YOUR_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_jwt_signer" "my_jwt_signer" {
enabled = true
config = {
access_token_introspection_scopes_claim = ["scope"]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}