jwtauthrequest

command module

v0.0.0-...-707a7ba Latest Latest Go to latest Published: Mar 30, 2023 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

bitbucket.org/HelgeOlav/jwtauthrequest

Links

Open Source Insights

README ¶

Introduction

jwtauthrequest is a backend for nginx auth_request. This backend receives tokens from nginx and responds with yes (HTTP response 200) or no (HTTP response 403) for access.

The JWT token is validated against your own configuration.

Features are:

Supports both HMAC, RSA and ECDSA algorithms.
For all other than HMAC, validation is done by downloading the JWKS from the issuer.
For RSA and ECDSA multiple keys and key rotation is supported; the JKWS is refreshed over time and using kid multiple keys can be present.
Validates iss, exp, iat, aud fields. (kid is also required for RSA and ECDSA.)
Built on established go libraries; jwt-go and keyfunc.
Designed and tested with nginx, but can be used from any application that want to validate a token.

A full-fledged implementation inside nginx is only available when subscribing. Some information about it here.

Security notice

Validating a token correctly is very important.
You should make sure that the issuer and audience fields are correct. Unless you specify anything these fields are not verified for corectness.
A JWT without exp will always be valid, you can change this by adding exp as a required claim. (See the example below.)
For production, don't use any HMAC algorithms. The shared key has to be, well, shared.
The JWKS should only be downloaded using https.

Configuration example

This is a configuration file. For all configuration options look into config.go.

{
  "listen-port": ":8081",
  "clients": [
    {
      "endpoints": [ "/auth" ],
      "name": "Test endpoint",
      "required-claims": [ "exp", "iss" ],
      "allowed-algo": [ "HS256" ],
      "token-name": "Authorization",
      "trim-prefix": "Bearer ",
      "audience": [ "developer" ],
      "HMAC": "qwertyuiopasdfghjklzxcvbnm123456",
      "debug": true,
      "issuer": "golang"
    }
  ]
}

A matching nginx configuration (snippet) would be:

location / {
    auth_request /_oauth2_token_introspection;                              
    alias /var/www/html;
}
location = /_oauth2_token_introspection {
    internal;
    proxy_method      GET;
    proxy_pass        http://localhost:8081/auth;
}

When you run jwtauthrequest it issues a JWT that you can use with the configuration above. The JWT is valid for one hour after launch.

This configuration assumes that you will authorize using a bearer token. By default nginx forwards all headers so with a bearer token nothing else needs to be done. From the configuration you can tweak on token-name to specify what header (or query name) to get the token from, and trim-prefix is used to remove something in the beginning from the token.

Calling jwtauthrequest directly

curl -I http://localhost:8081/auth\?token=<your_token>

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
jwtauthapi

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL