Closed u1924054 closed 10 months ago
Thank you for the PR but I'd like to point out that passing a JWT in a URL is pretty big security risk, unless it's a one-time-use token. For instance, a user could share the URL which includes their JWT and then other users would be able to act on their behalf in the target application. Also, if a JWT is included in the URL, then it will be logged by the pieces of software through which it passes (e.g. NGINX itself).
I'm not sure about your specific use case, other than what you mentioned, but you would likely be better off proxying to Grafana under a subdirectory so that you can store the JWT in a cookie and perhaps have Grafana look for it there. Alternatively, when proxying to Grafana via NGINX, you could include the JWT in the URL at that point which would mitigate some of the aforementioned issues.
hi, josh i have a question. it's possible to set auth_jwt_enabled as a ngx_str_t. Being a ngx_flag_t is so dificult to manage inside the config server, but if auth_jwt_enabled can be set with a $variable then it will be great for example auth_jwt_enabled $varible_wich includes on or off ?? thanks i'm stuck in this project and i need just a little bit of suport with your code.
I believe we'll go with the other PR as it also strips the querystring parameter in the case that the request is being forwarded.
I appreciate your time, thanks.
Implementation of a new location of the jwt. Querystring location. I'm doing that because of school project where i'm integratin grafana inside my cloud aplication. I open grafana inside an iframe and this is why i need the token in the URL of nginx reverse proxy. I wish that works for you and i'll be happy for a review. Regards from spain.