php-istio / jwt-payload-extractor
Library to help extract JWT payload from Istio Envoy proxy.
Installs: 28 276
Dependents: 1
Suggesters: 0
Security: 0
Stars: 2
Watchers: 0
Forks: 0
Open Issues: 0
Requires
- php: >=8.0
- psr/http-message: ^1.0
Requires (Dev)
- nyholm/psr7: ^1.4
- nyholm/psr7-server: ^1.0
- phpunit/phpunit: ^9.5
README
About
This library help to extract trusted JWT payload from request forwarded by Istio Sidecar. It's based on PSR-7 Server Request Message ensures interoperability with other packages and frameworks.
Requirements
PHP versions:
- PHP 8.0
Installation
First install this library:
composer require php-istio/jwt-payload-extractor
And choice one of PSR-7 implementation package (ex: nyholm/psr7-server):
composer require nyholm/psr7 nyholm/psr7-server
Usage
Istio JWTRules part of RequestAuthentication CRD (Custom Resource Definition) support forward origin
token (forwardOriginalToken option), or just only base64 payload via specify header name
(outputPayloadToHeader option), depend on your strategy you need to select method to extract your trusted JWT payload from forwarded request:
- Extract from origin token in header:
<?php $psr17Factory = new \Nyholm\Psr7\Factory\Psr17Factory(); $creator = new \Nyholm\Psr7Server\ServerRequestCreator( $psr17Factory, // ServerRequestFactory $psr17Factory, // UriFactory $psr17Factory, // UploadedFileFactory $psr17Factory // StreamFactory ); $serverRequest = $creator->fromGlobals(); $extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example'); $payload = $extractor->extract($serverRequest); if(null !== $payload) { var_dump($payload); } // by default it extract token from `authorization` header with `Bearer ` prefix, you can change it via next args: $extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example', 'x-token', 'yourPrefix ');
- Extract origin token in query param:
<?php //...... $extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer.example', 'token'); $payload = $extractor->extract($serverRequest); //......
- Extract base64 payload in header:
<?php //...... $extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer.example', 'x-istio-jwt-payload'); $payload = $extractor->extract($serverRequest); //......
- In case your application have many JWT issuers, or many extraction strategies:
<?php //...... $extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromExtractors( \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer1.example', 'x-istio-jwt-payload'), \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer1.example', 'token'), \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer2.example', 'authorization'), \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer3.example', 'token'), ); $payload = $extractor->extract($serverRequest); //......
Testing
This library uses PHPUnit for unit tests:
vendor/bin/phpunit