feature request: JWT Authentication

[skunkwerk]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
JWT

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

The ingress via Nginx should be able to authenticate JWT tokens passed in the HTTP header via a "Authorization: Bearer" format.

[aledbf]

Closing. Please check this comment #1676 (comment)

[tomxor]

@aledbf one of the advantages (in the case of JWT) is that you get to save an additional hop for every request which can end up being a bottleneck, so going to an external service to do that for you defeats that purpose. we've extended this project by adding a simple JWT script + some custom annotations to control the auth policy per ingress. not sure about ldap or others, but this was a relatively small change. given the popularity of JWT and the current lack of a working plugin system, is this decision final? if not I'd be happy to draft a PR.

[aledbf]

given the popularity of JWT and the current lack of a working plugin system, is this decision final?

No :)

if not I'd be happy to draft a PR.

Please wait, we are going to revamp the auth support in the controller.

[tomxor]

Please wait, we are going to revamp the auth support in the controller.

any public place this is being tracked? :)

[aledbf]

any public place this is being tracked? :)

Not yet, I will post a comment here when available

[derekperkins]

@aledbf What's the status here? JWT support just landed in Envoy envoyproxy/envoy#2514

[marcellisdon]

any update with regards to this feature request? I don't want to get stuck with NGINX plus for this...

[itaysk]

@aledbf - can you please clarify: "we are going to revamp the auth support in the controller" ?
Were you referring to auth-url (and this issue should be closed) or is there something else?

[aledbf]

"we are going to revamp the auth support in the controller"

One of the options will be using a custom plugin (to be written) once #3807 is merged.
Right now you can use something like https://github.com/vouch/vouch-proxy#running-from-docker

[veonua]

@itaysk as I needed JWT and jwt based routing, I have created simple python service that makes authentication, and returns claims in headers https://github.com/veonua/jwt_auth
auth-url should refer to this service address

[discordianfish]

Now with #3807 merged, anyone already started working on a JWT auth plugin?

[carlpett]

I built a small JWT signature/claims validator that is usable with the external-auth annotation: https://github.com/carlpett/nginx-subrequest-auth-jwt
Not as nice as a built-in solution, but might be useful to someone else.

[VizorKit]

any more work done on jwt plugins other than @carlpett ?

[IvanJosipovic]

I built an API that can be used with nginx.ingress.kubernetes.io/auth-url. https://github.com/IvanJosipovic/ingress-nginx-validate-jwt

If you need JWT and Cookie auth for Web Apps, you can use https://github.com/IvanJosipovic/OIDC-Guard