Allow specifying the audience to validate

[alecor191]

First, great job on this plugin, it's super useful!

We have the scenario where Traefik routes API calls to backend services that are only meant to be used by specific audiences. I.e. we want to ensure that the aud claim is validated as early as possible; before the request even reaches the target service.

What would be great is if the traefik-jwt-plugin middleware could be configured to also specify the audience to validate. That way we could assign different jwt-plugin middlewares to different Traefik routes, ensuring that only requests are forwarded where the JWT is not only valid, but was also issued for the correct audience.

Is this something worth considering for this plugin?

[eshepelyuk]

Hello

First of all - thanks for the interest.
The idea looks good, so the question is - are you willing to provide a PR ?

PS: are you using the plugin with OPA ? At my project - we're solving similar challenges by delegating the decesions to OPA. It's much more flexible than relying on Traefik middlewares functionality.

[alecor191]

Thanks @eshepelyuk for the fast response. I've not worked with Go yet, so not sure on a timeline I'd be able to contribute, as it would require some ramp-up before being able to provide a PR.

Thanks for the OPA tip! While we investigated OPA, we didn't consider it just yet; our current solution is still very basic, so we're just looking for something very simple to validate JWT tokens.

[lvijnck]

@eshepelyuk could you kindly share how you've configured OPA to validate the audience?

P.S. I would be happy to crunch out a PR for this

[eshepelyuk]

@eshepelyuk could you kindly share how you've configured OPA to validate the audience?

P.S. I would be happy to crunch out a PR for this

Hello

You should refer to OPA docs for API regarding parsing and verifying JWT tokens.

[alecor191]

FWIW my understanding is that the aud claim is defined in RFC 7519, section 4.1.3.

Here an implementation of the aud claim validation in jose, a quite popular library in the JS world: checkAudiencePresence.

Notice how the value of aud can either be a single string or array of string (defined in RFC above and also reflected in the implementation of jose).

[lvijnck]

I'm still a little lost on the OPA implementation, is the idea that I should have a running instance of the agent on my cluster, and this plugin offloads it? Or does it have the capability to directly validate the incoming request?

[eshepelyuk]

I'm still a little lost on the OPA implementation, is the idea that I should have a running instance of the agent on my cluster, and this plugin offloads it? Or does it have the capability to directly validate the incoming request?

Added a diagram recently that should answer the question.

https://github.com/team-carepay/traefik-jwt-plugin#open-policy-agent

[majidakbaridh]

Hi,

Thank you for your great work on this plugin, I tested it for one of my use-cases and it is working fine. However in my case I need to validate JWT token based on audience and when I found this open issue I realized that maybe the plugin can't check it.
I want to make sure my assumption about aud is correct, and also request that is there any chance to add it to this plugin in the future?

[eshepelyuk]

Hello

This plugin doesn't support validation of JWT token for aud claim, but you can implement any non-existing custom validation with OPA or you can provide a PR for this particular claim.