-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying the audience to validate #51
Comments
Hello First of all - thanks for the interest. PS: are you using the plugin with OPA ? At my project - we're solving similar challenges by delegating the decesions to OPA. It's much more flexible than relying on Traefik middlewares functionality. |
Thanks @eshepelyuk for the fast response. I've not worked with Go yet, so not sure on a timeline I'd be able to contribute, as it would require some ramp-up before being able to provide a PR. Thanks for the OPA tip! While we investigated OPA, we didn't consider it just yet; our current solution is still very basic, so we're just looking for something very simple to validate JWT tokens. |
@eshepelyuk could you kindly share how you've configured OPA to validate the audience? P.S. I would be happy to crunch out a PR for this |
Hello You should refer to OPA docs for API regarding parsing and verifying JWT tokens. |
FWIW my understanding is that the Here an implementation of the Notice how the value of |
I'm still a little lost on the OPA implementation, is the idea that I should have a running instance of the agent on my cluster, and this plugin offloads it? Or does it have the capability to directly validate the incoming request? |
Added a diagram recently that should answer the question. https://github.com/team-carepay/traefik-jwt-plugin#open-policy-agent |
Hi, Thank you for your great work on this plugin, I tested it for one of my use-cases and it is working fine. However in my case I need to validate JWT token based on |
Hello This plugin doesn't support validation of JWT token for |
First, great job on this plugin, it's super useful!
We have the scenario where Traefik routes API calls to backend services that are only meant to be used by specific audiences. I.e. we want to ensure that the
aud
claim is validated as early as possible; before the request even reaches the target service.What would be great is if the
traefik-jwt-plugin
middleware could be configured to also specify the audience to validate. That way we could assign different jwt-plugin middlewares to different Traefik routes, ensuring that only requests are forwarded where the JWT is not only valid, but was also issued for the correct audience.Is this something worth considering for this plugin?
The text was updated successfully, but these errors were encountered: