Skip to content

Commit

Permalink
support external jwt claims to be passed downsrream
Browse files Browse the repository at this point in the history
  • Loading branch information
ojafri committed Jun 10, 2019
1 parent 0687d9a commit 399e545
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 2 additions & 0 deletions extauth/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ extauth:
exp: true # can be true or false, but defaults to true; use true to check for the expiry time and send an error if the token is expired.
sendErr: true # can be either true or false, but defaults to true; set this to false if you want the extauth plugin to send an error if the JWT is invalid.
keepAuthHeader: false # can be true or false; default is false; set this to true if you want to pass the Authorization header to the backend.
extauth-claims-header: "header to be added with base64 encoded string of claims from authorization bearer jwt payload. Example value: x-extauth-claims" # default null for backward compatibility. When present, jwt payload claims are extracted and added as a request header of this name
extauth-exclude-claims: "array of claims to be excluded from extauth-claims-header" # used only when `extauth-claims-header` is set. Example value: ['application_name', 'client_id', 'api_product_list', 'iat', 'exp']
```
## Enable the plugin
Expand Down
15 changes: 14 additions & 1 deletion extauth/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
*
*/

var _ = require('lodash');
var debug = require('debug')('plugin:extauth');
var request = require('request');
var rs = require('jsrsasign');
Expand All @@ -28,7 +29,11 @@ module.exports.init = function(config, logger, stats) {
var sendErr = config.hasOwnProperty("sendErr") ? config.sendErr : true;
//preserve or delete the auth header
var keepAuthHeader = config.hasOwnProperty('keep-authorization-header') ? config['keep-authorization-header'] : false;

//extracts jwt claims from header authorization bearer jwt and adds them in a new header x-extauth-claims (default null for backward compatibility)
var extauthClaimsHeader = config.hasOwnProperty('extauth-claims-header') ? config['extauth-claims-header'] : null;
//sensitive claims to be omitted from extauth claims header, if enabled
var PRIVATE_JWT_VALUES = config.hasOwnProperty('extauth-exclude-claims') ? config['extauth-exclude-claims'] : ['application_name', 'client_id', 'api_product_list', 'iat', 'exp'];

if (iss) {
debug("Issuer " + iss);
acceptField.iss = [];
Expand Down Expand Up @@ -107,6 +112,10 @@ module.exports.init = function(config, logger, stats) {
debug("key type is PEM");
isValid = validateJWT(publickeys, jwtpayload[1], exp);
if (isValid) {
if(extauthClaimsHeader) {
var authClaims = _.omit(jwtdecode, PRIVATE_JWT_VALUES);
req.headers[extauthClaimsHeader] = new Buffer(JSON.stringify(authClaims)).toString('base64');
}
if (!keepAuthHeader) {
delete(req.headers['authorization']);
}
Expand Down Expand Up @@ -145,6 +154,10 @@ module.exports.init = function(config, logger, stats) {
isValid = validateJWT(pem, jwtpayload[1], exp);
if (isValid) {
debug("JWT is valid");
if(extauthClaimsHeader) {
var authClaims = _.omit(jwtdecode.payloadObj, PRIVATE_JWT_VALUES);
req.headers[extauthClaimsHeader] = new Buffer(JSON.stringify(authClaims)).toString('base64');
}
if (!keepAuthHeader) {
delete(req.headers['authorization']);
}
Expand Down

0 comments on commit 399e545

Please sign in to comment.