Extra validation of JWT with fingerprints #460
Comments
|
I think you could add the extra validation with a request modifier plugin (https://www.krakend.io/docs/extending/plugin-modifiers/). if you extract the claim with the fingerprint (https://www.krakend.io/docs/authorization/jwt-validation/#propagate-jwt-claims-as-request-headers) and allow the cookie header and the one with the extracted claim to pass, you can calculate the fingerprint of the cookie and compare it with the extracted claim. if they match, do nothing. if they don't match, return an error with the 401 |
|
This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe what are you trying to do
In my setup I have a microservice which issues JWT to users. I already tested JWT validation with KrakenD and it works fine. However, I would also like to implement OWASP recomendations for JWT, in my use case I have the following:
Then I just compare the values as an extra validation of the JWK token. Since I have multiple services (implemented in other languages), it will make the validation cumbersome if I move this logic outside KrakenD request processing. What would be the simplest approach to implement this flow on KrakenD side?
Your configuration file
My
krakend.json:{ "version": 3, "extra_config": { "github_com/devopsfaith/krakend-gologging": { "level": "DEBUG", "prefix": "[KRAKEND]", "syslog": false, "stdout": true, "format": "logstash" }, "github_com/devopsfaith/krakend-logstash": { "enabled": true } }, "plugin": { "pattern": ".so", "folder": "./jwt_revoked_checker" }, "timeout": "15s", "cache_ttl": "300s", "output_encoding": "json", "name": "api-gateway", "port": 8080, "endpoints": [ { "endpoint": "/login", "method": "POST", "output_encoding": "no-op", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 30, "strategy": "ip" } }, "backend": [ { "url_pattern": "/session/jwt", "encoding": "no-op", "sd": "static", "method": "POST", "host": [ "localhost:4001" ], "disable_host_sanitize": false } ] }, { "endpoint": "/refresh", "input_headers": [ "Cookie", "Authorization", "Content-Type" ], "method": "POST", "output_encoding": "no-op", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 30, "strategy": "ip" }, "plugin/req-resp-modifier": { "name": [ "auth-access-check-request", "auth-access-check-response" ] } }, "backend": [ { "url_pattern": "/session/refresh", "encoding": "no-op", "sd": "static", "method": "POST", "host": [ "localhost:4001" ], "disable_host_sanitize": false } ] }, { "endpoint": "/register", "method": "POST", "output_encoding": "no-op", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 30, "strategy": "ip" } }, "backend": [ { "url_pattern": "/session/register", "encoding": "no-op", "sd": "static", "method": "POST", "host": [ "localhost:4001" ], "disable_host_sanitize": false } ] }, { "endpoint": "/posts", "input_headers": [ "Cookie", "Authorization", "Content-Type" ], "method": "POST", "output_encoding": "json", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 3, "strategy": "ip" }, "auth/validator": { "alg": "RS256", "jwk_local_path": "./jwks.json", "cache": false, "roles_key": "role", "roles_key_is_nested": false, "roles": [ "regular", "admin" ], "disable_jwk_security": true, "operation_debug": true }, "plugin/req-resp-modifier": { "name": [ "auth-access-check-request", "auth-access-check-response" ] } }, "backend": [ { "url_pattern": "/posts", "encoding": "json", "sd": "static", "method": "POST", "disable_host_sanitize": false, "host": [ "localhost:8000" ], "extra_config": { "plugin/req-resp-modifier": { "name": [ "auth-access-check-request" ] } } } ] }, { "endpoint": "/posts", "headers_to_pass": [ "Cookie" ], "method": "GET", "output_encoding": "json", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 3, "strategy": "ip" }, "auth/validator": { "alg": "RS256", "jwk_local_path": "./jwks.json", "cache": false, "roles_key": "role", "roles_key_is_nested": false, "roles": [ "regular", "admin" ], "cookie_key": "access_token", "disable_jwk_security": true, "operation_debug": true } }, "backend": [ { "url_pattern": "/posts", "encoding": "json", "sd": "static", "method": "GET", "disable_host_sanitize": false, "host": [ "localhost:8000" ] } ] }, { "endpoint": "/posts/{post_id}", "headers_to_pass": [ "Cookie" ], "method": "GET", "output_encoding": "json", "extra_config": { "github.com/devopsfaith/krakend-ratelimit/juju/router": { "maxRate": 0, "clientMaxRate": 3, "strategy": "ip" }, "github.com/devopsfaith/krakend/proxy": { "sequential": true }, "auth/validator": { "alg": "RS256", "jwk_local_path": "./jwks.json", "cache": false, "roles_key": "role", "roles_key_is_nested": false, "roles": [ "regular", "admin" ], "cookie_key": "access_token", "disable_jwk_security": true, "operation_debug": true } }, "backend": [ { "url_pattern": "/posts/{post_id}", "encoding": "json", "sd": "static", "method": "GET", "disable_host_sanitize": false, "host": [ "localhost:8000" ] }, { "url_pattern": "/metrics?id={resp0__id}&text={resp0_body}", "encoding": "json", "sd": "static", "method": "GET", "host": [ "localhost:6000" ], "disable_host_sanitize": false, "is_collection": false } ] } ] }The text was updated successfully, but these errors were encountered: