{"id":13562329,"url":"https://github.com/SimonSchneider/traefik-jwt-decode","last_synced_at":"2025-04-03T18:33:22.978Z","repository":{"id":40505912,"uuid":"269162225","full_name":"SimonSchneider/traefik-jwt-decode","owner":"SimonSchneider","description":"Traefik forward auth implementation for JWT tokens","archived":false,"fork":false,"pushed_at":"2024-05-20T04:13:23.000Z","size":108,"stargazers_count":28,"open_issues_count":9,"forks_count":15,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-04T14:44:52.985Z","etag":null,"topics":["forwardauth","jwt-auth","jwt-authentication","jwt-tokens","traefik"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SimonSchneider.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-03T18:17:34.000Z","updated_at":"2024-10-21T15:56:12.000Z","dependencies_parsed_at":"2024-06-23T03:02:32.288Z","dependency_job_id":null,"html_url":"https://github.com/SimonSchneider/traefik-jwt-decode","commit_stats":null,"previous_names":[],"tags_count":44,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonSchneider%2Ftraefik-jwt-decode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonSchneider%2Ftraefik-jwt-decode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonSchneider%2Ftraefik-jwt-decode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SimonSchneider%2Ftraefik-jwt-decode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SimonSchneider","download_url":"https://codeload.github.com/SimonSchneider/traefik-jwt-decode/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247057010,"owners_count":20876495,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forwardauth","jwt-auth","jwt-authentication","jwt-tokens","traefik"],"created_at":"2024-08-01T13:01:07.281Z","updated_at":"2025-04-03T18:33:17.961Z","avatar_url":"https://github.com/SimonSchneider.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Traefik JWT Decode\n\n![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/SimonSchneider/traefik-jwt-decode)\n![Docker Image Size (latest by date)](https://img.shields.io/docker/image-size/simonschneider/traefik-jwt-decode)\n[![Coverage](http://gocover.io/_badge/github.com/SimonSchneider/traefik-jwt-decode/decoder)](http://gocover.io/github.com/SimonSchneider/traefik-jwt-decode/decoder)\n[![Go Report Card](https://goreportcard.com/badge/github.com/SimonSchneider/traefik-jwt-decode)](https://goreportcard.com/report/github.com/SimonSchneider/traefik-jwt-decode)\n\n[Traefik Forward auth](https://docs.traefik.io/middlewares/forwardauth/)\nimplementation that decodes and validates JWT (JWS) tokens and populates\nheaders with configurable claims from the token.\nThe tokens are validated using jwks, checked for expiration and cached.\n\nIf the token is invalid, ie. can't be verified or is expired `traefik-jwt-decode`\nwill respond with a `UNAUTHORIZED 401`.\n\nIf the token is valid `traefik-jwt-decode` will respond with a `OK 200` and\nheaders mapped from the claims of the token and an additional (configurable) `jwt-token-validated: true` header. \nTraefik should be configured to forward these headers via the `authResponseHeaders` which forwards them to the\nend destination.\n\nIf no token is present on the request and `AUTH_HEADER_REQUIRED` is `true`, `traefik-jwt-decode` will return 401.\n\nIf no token is present on the request and `AUTH_HEADER_REQUIRED` is `false`, `traefik-jwt-decode` will return 200 and set the header `jwt-token-validated: false`.\n\n## Installation and usage\n\n### Minimal with helm\n\nThe below example will deploy `traefik-jwt-decode` into kubernetes which \nwill map the claims `email` and `scopes` into the headers `jwt-token-email` and\n`jwt-token-scopes`.\n\nIt will then create a traefik forwardAuth middleware that forwards the \n`jwt-token-validated`, `jwt-token-email` and `jwt-token-scopes` to the upstream service.\n```\ncd _helm\n\nhelm install traefik-jwt-decode traefik-jwt-decode \\\n  --set env.JWKS_URL=\"https://www.googleapis.com/oauth2/v3/certs\" \\\n  --set env.CLAIM_MAPPINGS=\"email:jwt-token-email,scopes:jwt-token-scopes\"\n\ncat \u003c\u003cEOF \u003e\u003e traefik-auth-resource.yaml\napiVersion: traefik.containo.us/v1alpha1\nkind: Middleware\nmetadata:\n  name: jwt-decode-auth\nspec:\n  forwardAuth:\n    address: http://traefik-jwt-decode:8080\n    authResponseHeaders:\n      - jwt-token-validated\n      - jwt-token-email\n      - jwt-token-scopes\nEOF\n\nkubectl apply -f traefik-auth-resource.yaml\n```\n\n### Configuring and running the docker image:\n\nminimal (with claimMapping env variable)\n```\ndocker run \\\n  -e CLAIM_MAPPINGS=\"claim-123:header-123,claim-456:header-456\" \\\n  -e JWKS_URL=\"https://www.googleapis.com/oauth2/v3/certs\" \\\n  -p 8080:8080 \\\n  simonschneider/traefik-jwt-decode:latest\n```\n\nminimal (with claim file):\n```\necho \"{ \\\"claim-123\\\": \\\"header-123\\\" }\" \u003e config.json\n\ndocker run \\\n  -v $(pwd)/config.json:/config.json \\\n  -e JWKS_URL=\"https://www.googleapis.com/oauth2/v3/certs\" \\\n  -p 8080:8080 \\\n  simonschneider/traefik-jwt-decode:latest\n```\n\n### Configuration reference\n\nrequired configurations:\n```\nJWKS_URL\nurl pointing at the jwks json file (https://auth0.com/docs/tokens/concepts/jwks)\n```\n\ndefault configurations\n```\nCLAIM_MAPPING_FILE_PATH    = config.json\nAUTH_HEADER_KEY            = Authorization\nTOKEN_VALIDATED_HEADER_KEY = jwt-token-validated\nAUTH_HEADER_REQUIRED       = false\nPORT                       = 8080\nLOG_LEVEL                  = info                = trace | debug | info | warn | crit\nLOG_TYPE                   = json                = json | pretty\nMAX_CACHE_KEYS             = 10000\nCACHE_ENABLED              = true\nFORCE_JWKS_ON_START        = true\n```\n\noptional configurations\n```\nCLAIM_MAPPINGS=claim1:header1,claim2:header2\nset up claim mappings by env, on the format\nthe above corresponds to the json\n\n{\n  \"claim1\": \"header1\",\n  \"claim2\": \"header2\"\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSimonSchneider%2Ftraefik-jwt-decode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSimonSchneider%2Ftraefik-jwt-decode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSimonSchneider%2Ftraefik-jwt-decode/lists"}