About kong json web token always re-new when restarting services

edgexfoundry / edgex-compose

EdgeX Foundry Docker Compose release compose files and tools for building EdgeX compose files

Apache License 2.0

81 stars 115 forks source link

About kong json web token always re-new when restarting services #346

Closed tntthanh closed 1 year ago

tntthanh commented 1 year ago

Hi everyone, I want the kong json web token not re-new for any circumstances. Please help provide me the environment variables in the docker compose file (secty version, V2.4) for this? Thank you very much.

bnevis-i commented 1 year ago

There are two possible tokens you could be talking about.

If you are talking about the admin API token, please see the following:

https://docs.edgexfoundry.org/2.3/security/Ch-AddGatewayUserRemotely/#pre-requisite-obtain-a-kong-admin-jwt

(The guidance basically says if you don't want the admin token to rotate, you need to configure Kong with your own key.)

If you are talking about a user JWT, see the secrets-config man page here:

https://docs.edgexfoundry.org/2.3/security/secrets-config-proxy/

(This guidance says that if you want an expiration time of other than one hour, pass an --exp flag specifying something different.)

tntthanh commented 1 year ago

Hi @bnevis-i, I am talking about admin API token. I wonder if there is any environment variable in the docker-compose file that I can fill in to block the backend to renew the admin API token.

bnevis-i commented 1 year ago

@tntthanh, no there is not. The most straightforward thing to do is create a shadow admin using the Kong API. The alternative is to fork the EdgeX and customize it how you need.

A feature request to add support for this wouldn't be accepted because in EdgeX 3.0 we are going to replace the Kong API gateway with a much simpler NGINX gateway so that constrained devices (with low amounts of memory and/or disk) are better supported.

tntthanh commented 1 year ago

Hi @bnevis-i, how can I create a shadow admin

bnevis-i commented 1 year ago

Please refer to the following: https://docs.konghq.com/hub/kong-inc/jwt/

You should be able to introspect the default configuration and provision a JWT of your own with the proper route mappings to set up a secondary admin account. Note that the unauthenticated Kong admin port on 8001 is available on localhost inside of the Kong container, but not exposed externally. It should be possible, by exec'ing into the Kong container, to set up the shadow admin even if the initial admin JWT has expired.

Note that you can use any authentication plugin that is available in the free version of Kong. You aren't forced to use the JWT provider if you don't want to.

bnevis-i commented 1 year ago

Closing as "answered"