A few questions about authentication and authorization with Kong jwt in microservices architecture

Question

As a newbie in microservices architecture, I need to ask a few questions about implementing JWT authentication using Kong.

The architecture of my application looks like in the picture below:

So far I have only used Kong as a proxy and load balancer. The Authentication Service was responsible for creating the token. The token was created during registration and logging in. During registration or logging in, the authentication service asked the user service, and the user service checked the user's data in the mongodb database. Each endpoint from the other services had to receive a JWT in the header and had a function along with a secret which decoded the token. However, it seems to me that this is an unnecessary duplication of code and the whole process of creating and decoding JWT may or even should be done in Kong with JWT plugin.

I tried to follow a couple of tutorials and YouTube guides just like this one: JWT Kong Gateway

Unfortunately each of the tutorials shows how to create a JWT only for a single consumer, without Kong being connected to the base.

My kong.yml file:

_format_version: "3.0"
_transform: true

services:
  - name: building_service
    url: http://building_service/building
    routes:
    - name: building_service_route
      paths:
      - /building

  - name: user_service
    url: http://user_service/user
    routes:
    - name: user_service_route
      paths:
      - /user

  - name: role_service
    url: http://role_service/role
    routes:
    - name: role_service_route
      paths:
      - /role

  - name: task_service
    url: http://task_service/task
    routes:
    - name: task_service_route
      paths:
      - /task

  - name: authorization_service
    url: http://authorization_service/authorization
    routes:
    - name: authorization_service_route
      paths:
      - /authorization
  

plugins:
  - name: jwt
    route: building_service_route
    enabled: true
    config:  
      key_claim_name: kid
      claims_to_verify: 
        - exp
  # consumers:
  #   - username: login_server_issuer
  # jwt_secrets:
  #   - consumer: login_server_issuer
  #     secret: "secret-hash-brown-bear-market-rate-limit"

  - name: bot-detection

  - name: rate-limiting
    config:
      minute: 60
      policy: local

Kongo service in docker-compose.yml:

services:
  kong:
    build: ./App/kong
    volumes:
      - ./App/kong/kong.yml:/usr/local/kong/declarative/kong.yml
    container_name: kong
    environment:
      KONG_DATABASE: 'off'
      KONG_PROXY_ACCESS_LOG: '/dev/stdout'
      KONG_ADMIN_ACCESS_LOG: '/dev/stdout'
      KONG_PROXY_ERROR_LOG: '/dev/stderr'
      KONG_ADMIN_ERROR_LOG: '/dev/stderr'
      KONG_ADMIN_LISTEN: "0.0.0.0:8001, 0.0.0.0:8444 ssl"
      KONG_DECLARATIVE_CONFIG: "/usr/local/kong/declarative/kong.yml"
    command: "kong start"
    networks:
      - api-network
    ports:
      - "8000:8000"
      - "8443:8443"
      - "127.0.0.1:8001:8001"
      - "127.0.0.1:8444:8444"

List of my questions:

1. How authentication service should connect to Kong and create JWT with chosen user (as I understand consumer) data?
2. Should Kong be somehow connected to database to get required user data and create secret?
3. How to decode JWT with kong and transfer it to other services in header?
4. Can anyone provide an example of how to achieve desired result?
5. Do I misunderstood something about JWT or Kong and what I want to achieve is impossible?

Answer 1

If you can consider using Keycloak for user management, then you can have a look at the jwt-keycloak plugin: https://github.com/gbbirkisson/kong-plugin-jwt-keycloak