Open alecor191 opened 1 year ago
eshepelyuk
commented
1 year ago Hello
First of all - thanks for the interest. The idea looks good, so the question is - are you willing to provide a PR ?
PS: are you using the plugin with OPA ? At my project - we're solving similar challenges by delegating the decesions to OPA. It's much more flexible than relying on Traefik middlewares functionality.
alecor191
commented
1 year ago Thanks @eshepelyuk for the fast response. I've not worked with Go yet, so not sure on a timeline I'd be able to contribute, as it would require some ramp-up before being able to provide a PR.
Thanks for the OPA tip! While we investigated OPA, we didn't consider it just yet; our current solution is still very basic, so we're just looking for something very simple to validate JWT tokens.
lvijnck
commented
1 year ago @eshepelyuk could you kindly share how you've configured OPA to validate the audience?
P.S. I would be happy to crunch out a PR for this
eshepelyuk
commented
1 year ago @eshepelyuk could you kindly share how you've configured OPA to validate the audience?
P.S. I would be happy to crunch out a PR for this
Hello
You should refer to OPA docs for API regarding parsing and verifying JWT tokens.
alecor191
commented
1 year ago FWIW my understanding is that the aud claim is defined in RFC 7519, section 4.1.3.
Here an implementation of the aud claim validation in jose, a quite popular library in the JS world: checkAudiencePresence.
Notice how the value of aud can either be a single string or array of string (defined in RFC above and also reflected in the implementation of jose).
lvijnck
commented
1 year ago I'm still a little lost on the OPA implementation, is the idea that I should have a running instance of the agent on my cluster, and this plugin offloads it? Or does it have the capability to directly validate the incoming request?
eshepelyuk
commented
1 year ago I'm still a little lost on the OPA implementation, is the idea that I should have a running instance of the agent on my cluster, and this plugin offloads it? Or does it have the capability to directly validate the incoming request?
Added a diagram recently that should answer the question.
https://github.com/team-carepay/traefik-jwt-plugin#open-policy-agent
majidakbaridh
commented
11 months ago Hi,
Thank you for your great work on this plugin, I tested it for one of my use-cases and it is working fine. However in my case I need to validate JWT token based on audience and when I found this open issue I realized that maybe the plugin can't check it.
I want to make sure my assumption about aud is correct, and also request that is there any chance to add it to this plugin in the future?
eshepelyuk
commented
11 months ago Hello
This plugin doesn't support validation of JWT token for aud claim, but you can implement any non-existing custom validation with OPA or you can provide a PR for this particular claim.
First, great job on this plugin, it's super useful!
We have the scenario where Traefik routes API calls to backend services that are only meant to be used by specific audiences. I.e. we want to ensure that the
audclaim is validated as early as possible; before the request even reaches the target service.What would be great is if the
traefik-jwt-pluginmiddleware could be configured to also specify the audience to validate. That way we could assign different jwt-plugin middlewares to different Traefik routes, ensuring that only requests are forwarded where the JWT is not only valid, but was also issued for the correct audience.Is this something worth considering for this plugin?