JWT to Header (Route by JWT Claim) plugin

Community Plugin: This plugin is developed, tested, and maintained by a third-party contributor.

This plugin converts JWT claims into headers during the rewrite phase. This is useful for:

Routing requests by JWT claim, so that Kong’s route by header functionality can route the request appropriately.
Allowing the upstream service to consume claims as headers. Since this plugin has elements that must run in the Rewrite execution phase, it can only be configured to run globally in a Kong workspace or cluster. This plugin can be used in conjunction with other JWT validation/authentication plugins.

Installation & Usage

A tutorial, installation steps, and further information can be found at https://github.com/yesinteractive/kong-jwt2header.

Configuration Reference

This plugin is compatible with DB-less mode.

In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:

Setting a target's health status in the load balancer
Validating configurations against schemas
Uploading the declarative configuration using the /config endpoint

Fully compatible with DB and DB-less (K8s, Declarative) Kong implementations.

Example plugin configuration

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the kong-jwt2header plugin globally.

Admin API

Kubernetes

Declarative (YAML)

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
  --data "name=kong-jwt2header"  \
    --data "config.strip_claims=false" \
    --data "config.token_required=true"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-kong-jwt2header>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  strip_claims: false
  token_required: true
plugin: kong-jwt2header

Add a plugins entry in the declarative configuration file:

plugins:
- name: kong-jwt2header
  config: 
    strip_claims: false
    token_required: true

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter	Description
`name` required Type: string	The name of the plugin, in this case `kong-jwt2header`.
`enabled` Type: boolean Default value: `true`	Whether this plugin will be applied.
`config.strip_claims` required Default value: `false`	If enabled, claims will be removed from headers before being sent to the upstream. By default, each claim is passed upstream in a header prefixed with `X-Kong-JWT-Claim`.
`config.token_required` required Default value: `true`	By default, `token_required` is set to `true`, and an error will be returned if a valid JWT is not present in the request. Set it to `false` if you want this plugin to fail open and proceed with executing the request, regardless of whether a valid JWT is present or not.

About this Plugin
Made by	Yes Interactive
Categories	Traffic Control
DB-less compatible?	Yes
Compatible protocols	`http` `https`
Support	github.com
Source	Code License (MIT)