Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: As a user, I want to obtain the previously validated JWT from the context, so that I can use it in my custom plugins with lower priority #11281

Open
mikyll opened this issue May 23, 2024 · 0 comments · May be fixed by #11675
Open

feat: As a user, I want to obtain the previously validated JWT from the context, so that I can use it in my custom plugins with lower priority #11281

mikyll opened this issue May 23, 2024 · 0 comments · May be fixed by #11675

Comments

@mikyll
Copy link
Contributor

mikyll commented May 23, 2024
edited
Loading

Description

I'd like to extend jwt-auth plugin to store the authenticated JWT in the request context, so that it can easily be used in a plugin which executes after (lower priority), such as a custom ACL based on JWT payload.

Benefits

These are the benefits that come to my mind:

  • hiding the token from headers - this allows to enable hide_credentials and hide the JWT from the server receiving the request, but still allows subsequent plugins to access it;
  • less redundant code - the following plugins do not have to import extra modules to parse again the token, but can simply access its claims as a table.

Example

Suppose the jwt-auth plugin stores the decoded jwt object in request context (jwt-auth.lua):

function _M.rewrite(conf, ctx)
    -- [...]

    ctx.jwt_obj = jwt_obj
end

Custom plugin example (my-acl.lua):

function _M.rewrite(conf, ctx)
    -- [...]

    if not ctx.jwt_obj then
        -- Technically this can only happen when the JWT plugin didn't run for this request, or the priority was lower
        core.log.warn("Token object not found in ctx.")
        return 401, {message = "Missing JWT in request"}
    end

    local authorized = false
    local roles = ctx.jwt_obj.payload.roles

    -- Do something with roles
    for i, value in ipairs(tab) do
        if value == "admin" then
            authorized = true
        end
    end

    if not authorized then
        core.log.warn("Request not authorized")
        return 403, {message = "You are not allowed to access this resource"}
    end

    -- [...]
end

Additional Information

Kong JWT Plugin stores the encoded token in context, which I find interesting but a little bit unhandy: https://github.com/Kong/kong/blob/d4ab528fa2414d996861a43e58406c02b4978157/kong/plugins/jwt/handler.lua#L146
mikyll added a commit to mikyll/apisix that referenced this issue May 23, 2024
@mikyll
Fix apache#11281
9c3f3a0 
Features:
- Store the JWT object in request context;
mikyll added a commit to mikyll/apisix that referenced this issue May 23, 2024
@mikyll
Fix apache#11281
f43cb11 
Features:
- Store the JWT object in request context;
mikyll added a commit to mikyll/apisix that referenced this issue Oct 23, 2024
@mikyll
fix(jwt-auth): store token in request ctx
26e3a37 
Fixes apache#11281

Signed-off-by: Michele Righi <[email protected]>
@mikyll mikyll linked a pull request Oct 23, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Apache APISIX backlog
Status: 📋 Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(jwt-auth): store JWT in the request context mikyll/apisix
1 participant
@mikyll