How to verify Alg, Iss and Aud?

traefik-plugins / traefik-jwt-plugin

Traefik plugin which checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS

Apache License 2.0

98 stars 34 forks source link

How to verify Alg, Iss and Aud? #44

Closed latenssi closed 1 year ago

latenssi commented 1 year ago

In the readme (https://github.com/team-carepay/traefik-jwt-plugin/blob/main/README.md?plain=1#L54-L55) it states that one can provide values via config for Iss and Aud and that these would be "Used to verify" them in the token. Adding those in the config does not seem to have any effect and looking at the source code it seems they are not used in anywhere.

Am I missing something or is the documentation wrong?

edit: removed Alg as that seems to be actually verified

ievgenii-shepeliuk commented 1 year ago

E.g. code for Alg https://github.com/team-carepay/traefik-jwt-plugin/blob/main/jwt.go#L539-L541

latenssi commented 1 year ago

Thank you @ievgenii-shepeliuk! Do you know how Aud and Iss are handled?

eshepelyuk commented 1 year ago

Hello The documentation is wrong, those fields are not used y the plugin.

latenssi commented 1 year ago

Thank you @eshepelyuk for clearing this up!