{"id":16286231,"url":"https://github.com/ivanjosipovic/ingress-nginx-validate-jwt","last_synced_at":"2025-03-16T13:31:28.506Z","repository":{"id":60410470,"uuid":"542653541","full_name":"IvanJosipovic/ingress-nginx-validate-jwt","owner":"IvanJosipovic","description":"Enables Kubernetes ingress-nginx to validate JWT tokens","archived":false,"fork":false,"pushed_at":"2025-03-13T10:07:30.000Z","size":494,"stargazers_count":45,"open_issues_count":2,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-16T02:47:27.733Z","etag":null,"topics":["ingress","ingress-nginx","jwt","jwt-authentication","kubernetes","nginx","traefik","validate"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IvanJosipovic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"IvanJosipovic"}},"created_at":"2022-09-28T15:13:12.000Z","updated_at":"2025-03-13T12:38:51.000Z","dependencies_parsed_at":"2024-02-07T10:28:10.690Z","dependency_job_id":"3a1a01a2-e4a1-4079-b0c9-1b600e87cb07","html_url":"https://github.com/IvanJosipovic/ingress-nginx-validate-jwt","commit_stats":null,"previous_names":[],"tags_count":276,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fingress-nginx-validate-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fingress-nginx-validate-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fingress-nginx-validate-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IvanJosipovic%2Fingress-nginx-validate-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IvanJosipovic","download_url":"https://codeload.github.com/IvanJosipovic/ingress-nginx-validate-jwt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243875157,"owners_count":20361959,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ingress","ingress-nginx","jwt","jwt-authentication","kubernetes","nginx","traefik","validate"],"created_at":"2024-10-10T19:42:35.740Z","updated_at":"2025-03-16T13:31:28.500Z","avatar_url":"https://github.com/IvanJosipovic.png","language":"C#","funding_links":["https://github.com/sponsors/IvanJosipovic"],"categories":[],"sub_categories":[],"readme":"# ingress-nginx-validate-jwt\n\n[![codecov](https://codecov.io/gh/IvanJosipovic/ingress-nginx-validate-jwt/branch/main/graph/badge.svg?token=hh1FWYrH5r)](https://codecov.io/gh/IvanJosipovic/ingress-nginx-validate-jwt)\n[![GitHub](https://img.shields.io/github/stars/ivanjosipovic/ingress-nginx-validate-jwt?style=social)](https://github.com/IvanJosipovic/ingress-nginx-validate-jwt)\n[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/ingress-nginx-validate-jwt)](https://artifacthub.io/packages/helm/ingress-nginx-validate-jwt/ingress-nginx-validate-jwt)\n![Downloads](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fipitio%2Fbackage%2Frefs%2Fheads%2Findex%2FIvanJosipovic%2Fingress-nginx-validate-jwt%2Fingress-nginx-validate-jwt%25252Fingress-nginx-validate-jwt.json\u0026query=%24.downloads\u0026label=downloads)\n[![Docker Pulls](https://img.shields.io/docker/pulls/ivanjosipovic/ingress-nginx-validate-jwt?label=docker%20pulls)](https://hub.docker.com/r/ivanjosipovic/ingress-nginx-validate-jwt)\n\n| :exclamation:  This project has been superseded by [OIDC-Guard](https://github.com/IvanJosipovic/OIDC-Guard), which provides authentication and authorization for both APIs and web applications, supporting JWT, cookie authentication, and more! |\n|-----------------------------------------|\n\n## What is this?\n\nThis project is an API server which is used along with the [nginx.ingress.kubernetes.io/auth-url](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication) annotation for ingress-nginx and enables per Ingress customizable JWT validation.\n\n### Supports AMD64 and ARM64\n\n## Install\n\n```bash\nhelm repo add ingress-nginx-validate-jwt https://ivanjosipovic.github.io/ingress-nginx-validate-jwt\n\nhelm repo update\n\nhelm install ingress-nginx-validate-jwt \\\ningress-nginx-validate-jwt/ingress-nginx-validate-jwt \\\n--create-namespace \\\n--namespace ingress-nginx-validate-jwt \\\n--set openIdProviderConfigurationUrl=\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\"\n```\n\n### Options\n\n- openIdProviderConfigurationUrl\n  - OpenID Provider Configuration Url for your Identity Provider\n- logLevel\n  - Logging Level (Trace, Debug, Information, Warning, Error, Critical, and None)\n- [Helm Values](charts/ingress-nginx-validate-jwt/values.yaml)\n\n## Configure Ingress\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: ingress\n  namespace: default\n  annotations:\n    nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local:8080/auth?tid=11111111-1111-1111-1111-111111111111\u0026aud=22222222-2222-2222-2222-222222222222\u0026aud=33333333-3333-3333-3333-333333333333\nspec:\n```\n\n## Parameters\n\nThe /auth endpoint supports configurable parameters in the format of \\{claim\\}=\\{value\\}. In the case the same claim is called more than once, the traffic will have to match only one.\n\nFor example, using the following query string\n/auth?  \ntid=11111111-1111-1111-1111-111111111111  \n\u0026aud=22222222-2222-2222-2222-222222222222  \n\u0026aud=33333333-3333-3333-3333-333333333333  \n\nAlong with validating the JWT token, the token must have a claim tid=11111111-1111-1111-1111-111111111111 and one of aud=22222222-2222-2222-2222-222222222222 or aud=33333333-3333-3333-3333-333333333333\n\n### How to query arrays\nThe /auth endpoint is able to query arrays. We'll use the following JWT token in the example.\n```json\n{\n  \"email\": \"johndoe@example.com\",\n  \"groups\": [\"admin\", \"developers\"],\n}\n```\n\nUsing the following query string we can limit this endpoint to only tokens with an admin group\n/auth?  \ngroups=admin\n\n### Inject claims as headers\nThe /auth endpoint supports a custom parameter called \"inject-claim\". The value is the name of claim which will be added to the response headers.\n\nFor example, using the following query string\n/auth?  \ntid=11111111-1111-1111-1111-111111111111  \n\u0026aud=22222222-2222-2222-2222-222222222222  \n\u0026inject-claim=email\n\nThe /auth response will contain header email=someuser@domain.com\n\n### Inject claims as headers with custom name\nThe value should be in the following format, \"\\{claim name\\},\\{header name\\}\".\n\nFor example, using the following query string\n/auth?  \ntid=11111111-1111-1111-1111-111111111111  \n\u0026aud=22222222-2222-2222-2222-222222222222  \n\u0026inject-claim=email,mail\n\nThe /auth response will contain header mail=someuser@domain.com\n\nExample Ingress\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: app\n  annotations:\n    nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local:8080/auth?aud=11111111-11111-1111111111\u0026inject-claim=groups,JWT-Claim-Groups\u0026inject-claim=scope,JWT-Claim-Scope\n    nginx.ingress.kubernetes.io/auth-response-headers: JWT-Claim-Groups, JWT-Claim-Scope\n```\n\n## Design\n\n![alt text](https://raw.githubusercontent.com/IvanJosipovic/ingress-nginx-validate-jwt/main/docs/validate-jwt.png)\n\n## Metrics\n\nMetrics are exposed on :8080/metrics\n\n| Metric Name  | Description |\n|---|---|\n| ingress_nginx_validate_jwt_authorized | Number of Authorized operations ongoing |\n| ingress_nginx_validate_jwt_unauthorized | Number of Unauthorized operations ongoing |\n| ingress_nginx_validate_jwt_duration_seconds | Histogram of JWT validation durations |\n\n## Building locally\n```\ncd src/ingress-nginx-validate-jwt\ndocker build -t ingress-nginx-validate-jwt -f Dockerfile .\ndocker run ingress-nginx-validate-jwt -e \"OpenIdProviderConfigurationUrl=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivanjosipovic%2Fingress-nginx-validate-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivanjosipovic%2Fingress-nginx-validate-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivanjosipovic%2Fingress-nginx-validate-jwt/lists"}