Skip to content
This repository has been archived by the owner on Aug 7, 2023. It is now read-only.
/ jwt-authentication-bundle Public archive

Symfony bundle help to authenticate request forwarded by Istio sidecar.

License

MIT license
4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

php-istio/jwt-authentication-bundle

BranchesTags

Repository files navigation

JWT Authentication Bundle

unit tests coding standards codecov Latest Stable Version

About

The Symfony bundle provides JWT authentication for request forwarded by Istio sidecar.

To use this bundle, make sure your K8S application pod had injected Istio sidecar and configured RequestAuthentication CRD, if not your application IS NOT SECURE.

The main difference between the awesome Lexik JWT Authentication bundle and this bundle is it's NOT validate JWT token because Istio sidecar had validated before forward request to your application, so that your application don't need to hold public key and double validate JWT token.

Requirements

PHP versions:

  • PHP 8.0

Symfony versions:

  • Symfony 5.3

Installation

composer require php-istio/jwt-authentication-bundle

Configuration

Enable the authenticator manager setting:

# config/packages/security.yaml
security:
  enable_authenticator_manager: true
  # ...

Then, configure your config/packages/security.yaml:

security:
  enable_authenticator_manager: true
  access_control: 
    - path: ^/
      roles: IS_AUTHENTICATED_FULLY
  firewalls:
    #...
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1 # Required
            user_identifier_claim: sub #Default is `sub` claim
            origin_token_headers: [authorization] #Required at least once of `origin_token_headers`, `origin_token_query_params` or `base64_headers`. Use this option when your Istio JWTRule CRD using `forwardOriginalToken`.
            origin_token_query_params: [token] #Use this option when your Istio JWTRule CRD using `forwardOriginalToken` and your JWT token in query param.
            base64_headers: [x-istio-jwt-payload] # Use this option when your Istio JWTRule CRD using `outputPayloadToHeader`.
            prefix: "Bearer " #Token prefix of origin token passthrough by default blank ("") if not set.

In case your application have multi issuers:

#....
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1
            origin_token_headers: [authorization]
            prefix: "Bearer "
          - issuer: issuer_2
            user_identifier_claim: aud
            base64_headers: [x-istio-jwt-payload]
        #....

Usage

#!/bin/bash

#Generate mock JWT token forwarded by Istio sidecar

payload='{"issuer":"issuer_1", "sub": "test"}';
base64_payload=$(echo -n $payload | base64 -);
origin_token=$(echo "header.$base64_payload.signature");

#You can test authenticate origin token with curl:

curl -H "Authorization: Bearer $origin_token" http://localhost/

#Or authenticate base64 payload header:

curl -H "X-Istio-JWT-Payload: $base64_payload" http://localhost/

Further readings

Credits

About

Symfony bundle help to authenticate request forwarded by Istio sidecar.

Topics

symfony-bundle jwt-authentication istio php-istio

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 5

v2.0.0 Latest
Jul 29, 2022
+ 4 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages