Bypass token validation

[crisclacerda]

I am running postgrest behind an api gateway that already validates the token signature.
I only want to check the role from the token without specifing the jwt secret. Since I am rotating my keys and postgrest do not support fetching the key from an api, I would be ok to simply bypass it...

[wolfgangwalther]

Can you do one of the following?

• Remove the Authorization header from the request in the gateway
• Add a custom header with the role extracted from the token to the request
• Run postgrest with a db-pre-request function which will then set the role from the header

or

• Replace the Authorization header with another header with the same token, but a different signature at the api gateway
• Use a simple, non-rotating secret for that internal signature, which you set jwt-secret to

[wolfgangwalther]

Also related:

• JWKS: load public keys from a well known endpoint #1130
• Suggestion: token introspection endpoint #1402 (comment)
• Investigating Possibility of supporting IAM authentication #1727

[crisclacerda]

Great thanks for the help. I like the first solution and it works fine.

[wolfgangwalther]

Just make sure you also remove any of those custom headers that you are using internally from the original request, so that nobody can break in.