php-istio/jwt-payload-extractor

This package is abandoned and no longer maintained. No replacement package was suggested.

Library to help extract JWT payload from Istio Envoy proxy.

v1.1.1 2021-10-30 06:51 UTC

This package is auto-updated.

Last update: 2023-08-29 02:41:35 UTC


README

unit tests coding standards codecov Latest Stable Version

About

This library help to extract trusted JWT payload from request forwarded by Istio Sidecar. It's based on PSR-7 Server Request Message ensures interoperability with other packages and frameworks.

UML

Requirements

PHP versions:

  • PHP 8.0

Installation

First install this library:

composer require php-istio/jwt-payload-extractor

And choice one of PSR-7 implementation package (ex: nyholm/psr7-server):

composer require nyholm/psr7 nyholm/psr7-server

Usage

Istio JWTRules part of RequestAuthentication CRD (Custom Resource Definition) support forward origin token (forwardOriginalToken option), or just only base64 payload via specify header name (outputPayloadToHeader option), depend on your strategy you need to select method to extract your trusted JWT payload from forwarded request:

  • Extract from origin token in header:
<?php
$psr17Factory = new \Nyholm\Psr7\Factory\Psr17Factory();

$creator = new \Nyholm\Psr7Server\ServerRequestCreator(
    $psr17Factory, // ServerRequestFactory
    $psr17Factory, // UriFactory
    $psr17Factory, // UploadedFileFactory
    $psr17Factory  // StreamFactory
);

$serverRequest = $creator->fromGlobals();
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example');
$payload = $extractor->extract($serverRequest);

if(null !== $payload) {
    var_dump($payload);
}

// by default it extract token from `authorization` header with `Bearer ` prefix, you can change it via next args:

$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example', 'x-token', 'yourPrefix ');
  • Extract origin token in query param:
<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer.example', 'token');
$payload = $extractor->extract($serverRequest);
//......
  • Extract base64 payload in header:
<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer.example', 'x-istio-jwt-payload');
$payload = $extractor->extract($serverRequest);
//......
  • In case your application have many JWT issuers, or many extraction strategies:
<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromExtractors(
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer1.example', 'x-istio-jwt-payload'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer1.example', 'token'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer2.example', 'authorization'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer3.example', 'token'),
);
$payload = $extractor->extract($serverRequest);
//......

Testing

This library uses PHPUnit for unit tests:

vendor/bin/phpunit

Credits