php-istio/jwt-authentication-bundle

This package is abandoned and no longer maintained. No replacement package was suggested.

Symfony bundle to help authenticate JWT payload from Istio Envoy proxy.

Maintainers

Details

github.com/php-istio/jwt-authentication-bundle

Source

Issues

Installs: 26 752

Dependents: 0

Suggesters: 0

Security: 0

Stars: 3

Watchers: 0

Forks: 1

Open Issues: 0

Type:symfony-bundle

v2.0.0 2022-07-29 08:28 UTC

Requires

Requires (Dev)

MIT 92dd729105c882a90306bdcc95d5b6597ce70212

  • Minh Vuong <vuongxuongminh.woop@gmail.com>

This package is auto-updated.

Last update: 2023-08-29 02:41:36 UTC

README

unit tests coding standards codecov Latest Stable Version

About

The Symfony bundle provides JWT authentication for request forwarded by Istio sidecar.

To use this bundle, make sure your K8S application pod had injected Istio sidecar and configured RequestAuthentication CRD, if not your application IS NOT SECURE.

The main difference between the awesome Lexik JWT Authentication bundle and this bundle is it's NOT validate JWT token because Istio sidecar had validated before forward request to your application, so that your application don't need to hold public key and double validate JWT token.

Requirements

PHP versions:

  • PHP 8.0

Symfony versions:

  • Symfony 5.3

Installation

composer require php-istio/jwt-authentication-bundle

Configuration

Enable the authenticator manager setting:

# config/packages/security.yaml
security:
  enable_authenticator_manager: true
  # ...

Then, configure your config/packages/security.yaml:

security:
  enable_authenticator_manager: true
  access_control: 
    - path: ^/
      roles: IS_AUTHENTICATED_FULLY
  firewalls:
    #...
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1 # Required
            user_identifier_claim: sub #Default is `sub` claim
            origin_token_headers: [authorization] #Required at least once of `origin_token_headers`, `origin_token_query_params` or `base64_headers`. Use this option when your Istio JWTRule CRD using `forwardOriginalToken`.
            origin_token_query_params: [token] #Use this option when your Istio JWTRule CRD using `forwardOriginalToken` and your JWT token in query param.
            base64_headers: [x-istio-jwt-payload] # Use this option when your Istio JWTRule CRD using `outputPayloadToHeader`.
            prefix: "Bearer " #Token prefix of origin token passthrough by default blank ("") if not set.

In case your application have multi issuers:

#....
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1
            origin_token_headers: [authorization]
            prefix: "Bearer "
          - issuer: issuer_2
            user_identifier_claim: aud
            base64_headers: [x-istio-jwt-payload]
        #....

Usage

#!/bin/bash

#Generate mock JWT token forwarded by Istio sidecar

payload='{"issuer":"issuer_1", "sub": "test"}';
base64_payload=$(echo -n $payload | base64 -);
origin_token=$(echo "header.$base64_payload.signature");

#You can test authenticate origin token with curl:

curl -H "Authorization: Bearer $origin_token" http://localhost/

#Or authenticate base64 payload header:

curl -H "X-Istio-JWT-Payload: $base64_payload" http://localhost/

Further readings

Credits