You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: I'm using Apisix Ingress Controller on Minikube, with Apisix CRDs.
Case 1 (OK)
ApisixConsumer doesn't specify the exp configuration parameter;
the JWT token includes a exp claim, but it's expired;
Result: the JWT validation fails due to exp claim, since the token is expired.
Case 2 (?)
ApisixConsumer doesn't specify the exp configuration parameter;
the JWT token does not include a exp claim;
Result: the JWT validation fails due to missing expor nbf claims.
Case 3 (OK)
ApisixConsumer specifies the exp configuration parameter;
the JWT token does not include a exp claim;
Result: the JWT validation fails due to missing expor nbf claims.
Expected Behavior
Do not check the exp and nbf claims by default, since the standard specification says they should be optional.
Instead, verify these claims only if they are specifyied in ApisixConsumer fields, or maybe provide configuration parameters to enable/disable the check (Kong does something similar).
The "exp" (expiration time) claim identifies the expiration time on
or after which the JWT MUST NOT be accepted for processing. The
processing of the "exp" claim requires that the current date/time
MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than
a few minutes, to account for clock skew. Its value MUST be a number
containing a NumericDate value. Use of this claim is OPTIONAL.
The "nbf" (not before) claim identifies the time before which the JWT
MUST NOT be accepted for processing. The processing of the "nbf"
claim requires that the current date/time MUST be after or equal to
the not-before date/time listed in the "nbf" claim. Implementers MAY
provide for some small leeway, usually no more than a few minutes, to
account for clock skew. Its value MUST be a number containing a
NumericDate value. Use of this claim is OPTIONAL.
Error Logs
No response
Steps to Reproduce
NB: I'm setting Service apisix-gateway as a LoadBalancer for simplicity. I'm also using some mock RS256 public/private keys.
Start a minikube cluster and launch tunnel command, leaving the terminal running in background:
Once the installation is completed, minikube tunnel should pick up the apisix-gateway service and we will be able to send a curl request to the proxy on localhost:
curl -s -i "localhost:80/"
HTTP/1.1 404 Not Found
Date: Wed, 15 May 2024 14:07:06 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/3.9.1
{"error_msg":"404 Route Not Found"}
Is there any specific reason why it's implemented this way, instead of leaving the choice to the user (similarly to how Kong JWT plugin does), or am I missing something? 👀
What's the purpose of exp field in ApisixConsumer?
The text was updated successfully, but these errors were encountered:
Current Behavior
Note: I'm using Apisix Ingress Controller on Minikube, with Apisix CRDs.
Case 1 (OK)
exp
configuration parameter;exp
claim, but it's expired;Result: the JWT validation fails due to
exp
claim, since the token is expired.Case 2 (?)
exp
configuration parameter;exp
claim;Result: the JWT validation fails due to missing
exp
ornbf
claims.Case 3 (OK)
exp
configuration parameter;exp
claim;Result: the JWT validation fails due to missing
exp
ornbf
claims.Expected Behavior
Do not check the
exp
andnbf
claims by default, since the standard specification says they should be optional.Instead, verify these claims only if they are specifyied in ApisixConsumer fields, or maybe provide configuration parameters to enable/disable the check (Kong does something similar).
References
Error Logs
No response
Steps to Reproduce
NB: I'm setting Service
apisix-gateway
as a LoadBalancer for simplicity. I'm also using some mock RS256 public/private keys.Once the installation is completed, minikube tunnel should pick up the
apisix-gateway
service and we will be able to send a curl request to the proxy on localhost:Show/Hide
JWT_TOKEN="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJteS1rZXkiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kQ-h3S0wgwDWIaOV_JNOlpck8JXAxAAtIto3hzHee4PHisx8xZcajSaX6PXf5cQW-H8uIOf7UUJCr3_62LV2hy4sSLwXcpzK5QIYRu4GO6g4q9Lv3yhYw0h2rP0bcFmkoVM91S7T0BEFA9m3H8zyKpF6qy9GscC7xoNL49W7TVhoetm4GeiKpngLCvUbGEjLWUrzx1o9JRruOe6ydv4VhOi8angH4By7kcs-XKLepVr1HyzQacw8Lyoyu4CumviefpWkwzDfDINf0r3Ad-WqAsoOGBhJh4fybe6xpIO_uWOJ95JWHUaQE3HWM_Q9fUuZvyR1p7oizbmWUxipaYIaZA"
apisix
gateway logs in another terminal, to detect the "expiration check" message:Environment
apisix version
):uname -a
):openresty -V
ornginx -V
):Show/Hide
Questions
exp
field in ApisixConsumer?The text was updated successfully, but these errors were encountered: