This repository includes a traefik plugin, jwt, It can check jwt from cookie or header. And It has optional configuration to set jwt to another header for backend.
For now only supports RS256 algorithm.
The plugin needs to be configured in the Traefik static configuration before it can be used.
# snippet from helm values.yaml
experimental:
plugins:
enabled: true
additionalArguments:
- --experimental.plugins.traefik-jwt-middleware.moduleName=github.com/aseara/jc2h
- --experimental.plugins.traefik-jwt-middleware.version=v0.1.2# Static configuratio
experimental:
plugins:
traefik-jwt-middleware:
moduleName: github.com/aseara/jc2h
version: v0.1.2The plugin currently supports the following configuration settings: (all fields are optional)
| Setting | Allowed values | Description |
|---|---|---|
| checkCookie | boolean | If set to true, will try extract token from cookie with cookieName unless checkHeader is set to true and token is extracted from header. |
| cookieName | string | Used as cookie name when extracting token from cookie. Needed if checkCookie is true. |
| checkHeader | boolean | If set to true, will try extract token from header with headerName. |
| headerName | string | Used to extract token from header. When checkHeader is true and this is empty, headerName will be set to Default value is 'Authorization' and headerValuePrefix to 'Bearer'. |
| headerValuePrefix | string | When extract token from header, this will be the prefix of header value. |
| signKey | string | PEM format public key to verify the jwt token. Cannot be empty when checkCookie or checkHeader is true. |
| ssoLoginUrl | string | login url to redirect when token invalid. Cannot be empty when checkCookie or checkHeader is true. |
| injectHeader | string | If set , the jwt token will be injected into request header with injectHeader value as key. |
This example uses Kubernetes Custom Resource Descriptors (CRD) :
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-jwt-plugin
spec:
plugin:
traefik-jwt-plugin:
checkCookie: true
cookieName: jwt-token
ssoLoginUrl: https://sso.xxxx.cn
injectHeader: X-JWT-TOKEN
signKey: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv
vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc
aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy
tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0
e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb
V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9
MwIDAQAB
-----END PUBLIC KEY-----Activate plugin in your config
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-server
labels:
app: test-server
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: traefik-jwt-plugin@kubernetescrd