From 459d4430e825768859a5775e4dc8da289cd2adef Mon Sep 17 00:00:00 2001 From: Ryan Breen Date: Tue, 5 Jan 2016 12:43:56 -0500 Subject: [PATCH 1/4] Allow for configuration of the JWT field used as the key to find the secret. By default, iss is preserved, but in other cases something like aud will make more sense. --- kong/plugins/jwt/access.lua | 15 +++++++++++---- kong/plugins/jwt/schema.lua | 1 + 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/kong/plugins/jwt/access.lua b/kong/plugins/jwt/access.lua index 23500b706f5e..0445403126c4 100644 --- a/kong/plugins/jwt/access.lua +++ b/kong/plugins/jwt/access.lua @@ -65,10 +65,17 @@ function _M.execute(conf) local claims = jwt.claims - local jwt_secret_key = claims.iss + local jwt_secret_key_field = "iss" + if conf.secret_key_field then + jwt_secret_key_field = conf.secret_key_field + end + + ngx.log(ngx.DEBUG, "Looking for secret in "..jwt_secret_key_field) + + local jwt_secret_key = claims[jwt_secret_key_field] if not jwt_secret_key then ngx.ctx.stop_phases = true - return responses.send_HTTP_UNAUTHORIZED("No mandatory 'iss' in claims") + return responses.send_HTTP_UNAUTHORIZED("No mandatory '"..jwt_secret_key_field.."' in claims") end -- Retrieve the secret @@ -83,7 +90,7 @@ function _M.execute(conf) if not jwt_secret then ngx.ctx.stop_phases = true - return responses.send_HTTP_FORBIDDEN("No credentials found for given 'iss'") + return responses.send_HTTP_FORBIDDEN("No credentials found for given '"..jwt_secret_key_field.."'") end -- Now verify the JWT signature @@ -111,7 +118,7 @@ function _M.execute(conf) -- However this should not happen if not consumer then ngx.ctx.stop_phases = true - return responses.send_HTTP_FORBIDDEN(string_format("Could not find consumer for '%s=%s'", "iss", jwt_secret_key)) + return responses.send_HTTP_FORBIDDEN(string_format("Could not find consumer for '%s=%s'", jwt_secret_key_field, jwt_secret_key)) end ngx.req.set_header(constants.HEADERS.CONSUMER_ID, consumer.id) diff --git a/kong/plugins/jwt/schema.lua b/kong/plugins/jwt/schema.lua index ce45fd2c2265..37892478207c 100644 --- a/kong/plugins/jwt/schema.lua +++ b/kong/plugins/jwt/schema.lua @@ -2,6 +2,7 @@ return { no_consumer = true, fields = { uri_param_names = {type = "array", default = {"jwt"}}, + secret_key_field = {type = "string", default = "iss"}, claims_to_verify = {type = "array", enum = {"exp", "nbf"}} } } From 3606f93af1c00db7e137a56830a57641806683ea Mon Sep 17 00:00:00 2001 From: Ryan Breen Date: Tue, 5 Jan 2016 12:53:06 -0500 Subject: [PATCH 2/4] Trim a debug line. --- kong/plugins/jwt/access.lua | 2 -- 1 file changed, 2 deletions(-) diff --git a/kong/plugins/jwt/access.lua b/kong/plugins/jwt/access.lua index 0445403126c4..6b519b665317 100644 --- a/kong/plugins/jwt/access.lua +++ b/kong/plugins/jwt/access.lua @@ -70,8 +70,6 @@ function _M.execute(conf) jwt_secret_key_field = conf.secret_key_field end - ngx.log(ngx.DEBUG, "Looking for secret in "..jwt_secret_key_field) - local jwt_secret_key = claims[jwt_secret_key_field] if not jwt_secret_key then ngx.ctx.stop_phases = true From e5c0c956310f80f3bfc05511367478e5f7a05da8 Mon Sep 17 00:00:00 2001 From: Ryan Breen Date: Tue, 5 Jan 2016 14:49:18 -0500 Subject: [PATCH 3/4] Remove suspenders because schema validation is a good belt. --- kong/plugins/jwt/access.lua | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/kong/plugins/jwt/access.lua b/kong/plugins/jwt/access.lua index 6b519b665317..7bdfeccf5224 100644 --- a/kong/plugins/jwt/access.lua +++ b/kong/plugins/jwt/access.lua @@ -65,10 +65,7 @@ function _M.execute(conf) local claims = jwt.claims - local jwt_secret_key_field = "iss" - if conf.secret_key_field then - jwt_secret_key_field = conf.secret_key_field - end + local jwt_secret_key_field = conf.secret_key_field local jwt_secret_key = claims[jwt_secret_key_field] if not jwt_secret_key then From feecd6e57dbab0be02cc4e61cfd578ea82706859 Mon Sep 17 00:00:00 2001 From: Ryan Breen Date: Tue, 5 Jan 2016 14:52:58 -0500 Subject: [PATCH 4/4] Remove unnecessary variable. --- kong/plugins/jwt/access.lua | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/kong/plugins/jwt/access.lua b/kong/plugins/jwt/access.lua index 7bdfeccf5224..a7dc064112cc 100644 --- a/kong/plugins/jwt/access.lua +++ b/kong/plugins/jwt/access.lua @@ -65,12 +65,10 @@ function _M.execute(conf) local claims = jwt.claims - local jwt_secret_key_field = conf.secret_key_field - - local jwt_secret_key = claims[jwt_secret_key_field] + local jwt_secret_key = claims[conf.secret_key_field] if not jwt_secret_key then ngx.ctx.stop_phases = true - return responses.send_HTTP_UNAUTHORIZED("No mandatory '"..jwt_secret_key_field.."' in claims") + return responses.send_HTTP_UNAUTHORIZED("No mandatory '"..conf.secret_key_field.."' in claims") end -- Retrieve the secret @@ -85,7 +83,7 @@ function _M.execute(conf) if not jwt_secret then ngx.ctx.stop_phases = true - return responses.send_HTTP_FORBIDDEN("No credentials found for given '"..jwt_secret_key_field.."'") + return responses.send_HTTP_FORBIDDEN("No credentials found for given '"..conf.secret_key_field.."'") end -- Now verify the JWT signature @@ -113,7 +111,7 @@ function _M.execute(conf) -- However this should not happen if not consumer then ngx.ctx.stop_phases = true - return responses.send_HTTP_FORBIDDEN(string_format("Could not find consumer for '%s=%s'", jwt_secret_key_field, jwt_secret_key)) + return responses.send_HTTP_FORBIDDEN(string_format("Could not find consumer for '%s=%s'", conf.secret_key_field, jwt_secret_key)) end ngx.req.set_header(constants.HEADERS.CONSUMER_ID, consumer.id)