Closed myagmarsurensedjav closed 2 years ago
ievgenii-shepeliuk
commented
2 years ago This plugin can only check for a presence of a claim in token at the moment. You can implement token expiration verification and other checks in OPA policies instead.
blagerweij
commented
2 years ago Using OPA is optional, I guess we can add support for 'iat' and 'exp' in the plugin as well
blagerweij
commented
2 years ago @myagmarsurensedjav please check v0.1.1, I have added support for 'exp' and 'iat' checks. You'll need to add them to 'PayloadFields', to enforce that the fields are present and valid.
myagmarsurensedjav
commented
2 years ago @blagerweij it works great! thank you.
ievgenii-shepeliuk
commented
2 years ago Hello @blagerweij
There's a tricky bug in your implementation, that we had to fix in our OPA checks few weeks ago.
It's related to iat claim check at https://github.com/team-carepay/traefik-jwt-plugin/blob/main/jwt.go#L372
The condition must be >= not just >. Since those claims/times should be number of seconds since 1970 it is very likely that just issued JWT tokens will fail the check because their issue dates will be equal.
Also I suggest to create a new variable with time.Now().Unix() before checking both claims, so the if condition will compare token expiation claims to the same value of "now".
If it does, how can I configure? Or if it doesn't, how can I implement it? Please advise.