{"id":18445732,"url":"https://github.com/voronenko/kong-plugin-sa-jwt-claims-validate","last_synced_at":"2025-04-15T01:16:01.866Z","repository":{"id":145345600,"uuid":"248444885","full_name":"Voronenko/kong-plugin-sa-jwt-claims-validate","owner":"Voronenko","description":"Kong2 compatible plugin for validation of the custom JWT token claims","archived":false,"fork":false,"pushed_at":"2020-03-21T13:28:39.000Z","size":37,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-15T01:15:45.555Z","etag":null,"topics":["jwt","kong","kong-jwt","kong-plugin","kong2"],"latest_commit_sha":null,"homepage":null,"language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Voronenko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-19T08:07:10.000Z","updated_at":"2022-11-22T18:25:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"7be2cd2b-d4e2-473f-815c-19557ccc163a","html_url":"https://github.com/Voronenko/kong-plugin-sa-jwt-claims-validate","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fkong-plugin-sa-jwt-claims-validate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fkong-plugin-sa-jwt-claims-validate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fkong-plugin-sa-jwt-claims-validate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fkong-plugin-sa-jwt-claims-validate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Voronenko","download_url":"https://codeload.github.com/Voronenko/kong-plugin-sa-jwt-claims-validate/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248986315,"owners_count":21194025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","kong","kong-jwt","kong-plugin","kong2"],"created_at":"2024-11-06T07:07:02.402Z","updated_at":"2025-04-15T01:16:01.858Z","avatar_url":"https://github.com/Voronenko.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status][badge-travis-image]][badge-travis-url]\n\nsa-jwt-claims-validate\n======================\n\nPlugin functionality:\n\nsupposed to work in combination with kong's built-in jwt plugin.\nBuilt-in plugin is responsible for validation of the jwt token signature and validity/expiration claims.\n\nThis plugin - exposes plugin claims to upstream services via headers,\nadditionally it can be used as a security filter to enforce presence of\nspecified claims and checking they are matching expected values.\n\n## Usage\n\n### Parameters\n\n| Parameter | Default  | Required | description |\n| --- | --- | --- | --- |\n| `name` || true | plugin name, has to be `sa-jwt-claims-validate` |\n| `config.log_level` |\"info\"| false | Tunes level of info provvided for troubleshouting |\n| `config.option_expose_headers` |true| false | If set to true all jwt token data are decoded and exposed to upstream as headers.  |\n| `config.exposed_headers` |\"all\"| false | Comma separated list of claims to be exposed to upstream as headers or all |\n| `config.validate_iss` |\"\"| false | If set, iss claim is compared to value |\n| `config.validate_sub` |\"\"| false | If set, sub claim is compared to value |\n| `config.validate_aud` |\"\"| false | If set, aud claim is compared to value |\n| `config.validate_azp` |\"\"| false | If set, azp claim is compared to value |\n| `config.validate_client_id` |\"\"| false | If set, client_id claim is compared to value |\n| `config.validate_dynamic1` |\"\"| false | If set in form claim==\u003evalue , validates if claim equals specified value |\n| `config.validate_dynamic2` |\"\"| false | If set in form claim==\u003evalue , validates if claim equals specified value |\n| `config.validate_dynamic3` |\"\"| false | If set in form claim==\u003evalue , validates if claim equals specified value |\n| `config.claims` |nil| false | If set as map form claim:value , validates if claims set matches specified values. Number of claims is not limited |\n\n### Output\n\nPlugin is able to expose all or agreed claims in form of headers `x-sa-jwt-claim-CLAIMNAME`. In case if claim contains object, you will get json serialized values, in other case you will get string.\n\nSeparately outputs original authorization token in header `x-sa-jwt-token`\n\n\n## (A) expose jwt token info to upstream services\n\nFor incoming token (location configurable)\n```\nAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlF6bEZOak5CUmtZNVJqY3lOVVpCUmpJMU5qRkJOMFl4T0VNMVJFSXhNelU0TVVJeU5qa3dSUSJ9.eyJpc3MiOiJodHRwczovL3Zvcm9uZW5rby5hdXRoMC5jb20vIiwic3ViIjoiUjQ3N3pkMGRoRDBIcTNDbk5JRWdFNjc3bndib1lENXVAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vaW1wbGljaXRncmFudC5hdXRoMC52b3JvbmVua28ubmV0IiwiaWF0IjoxNTc1NTgzNTM2LCJleHAiOjE1NzU2Njk5MzYsImF6cCI6IlI0Nzd6ZDBkaEQwSHEzQ25OSUVnRTY3N253Ym9ZRDV1IiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.aIx7LnT7aFPxmK4wCXxxGhEKrxPsGlZ3azEFykynkf6hfyb-4zCXlrqvxNjB9pk_PO8MxmKRJeoRsHLmNOvVls3tE90GQNa6DrqyWuO5PxZetkPyR56o5axt4PddZlop-mukiMYrZF2bP_gdRBZnhR2OJ4vU3qG6Rvs2k-J65tbb2oUERWps7KDC2FeTbV2bc09JtH25StNfYyHOPUR1MiDSKZbZqH3Z0bZUFHN1Ac7jznU3xUV8yEPTy7hQwOWUK5CxUSvd_s4RlTLKsHdAQWWxoDPRvxldwPXtxc7n13hwQPslJNR1ScbREcgJo4zPOcVM_uzTk1ygczLJCzvdsA\n```\n\nwhich is equivalent of jwt token\n\nheader\n```\n{\n  \"typ\": \"JWT\",\n  \"alg\": \"RS256\",\n  \"kid\": \"QzlFNjNBRkY5RjcyNUZBRjI1NjFBN0YxOEM1REIxMzU4MUIyNjkwRQ\"\n}\n```\n\npayload\n```\n{\n  \"iss\": \"https://voronenko.auth0.com/\",\n  \"sub\": \"R477zd0dhD0Hq3CnNIEgE677nwboYD5u@clients\",\n  \"aud\": \"https://implicitgrant.auth0.voronenko.net\",\n  \"iat\": 1575583536,\n  \"exp\": 1575669936,\n  \"azp\": \"R477zd0dhD0Hq3CnNIEgE677nwboYD5u\",\n  \"gty\": \"client-credentials\"\n}\n```\n\n\nit will expose following headers to upstream service:\n\n```\n\"x-sa-jwt-claim-gty\":\"client-credentials\",\n\"x-sa-jwt-claim-exp\":\"1575669936\",\n\"x-sa-jwt-claim-azp\":\"R477zd0dhD0Hq3CnNIEgE677nwboYD5u\"\n\"x-sa-jwt-claim-iat\":\"1575583536\"\n\"x-sa-jwt-token\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlF6bEZOak5CUmtZNVJqY3lOVVpCUmpJMU5qRkJOMFl4T0VNMVJFSXhNelU0TVVJeU5qa3dSUSJ9.eyJpc3MiOiJodHRwczovL3Zvcm9uZW5rby5hdXRoMC5jb20vIiwic3ViIjoiUjQ3N3pkMGRoRDBIcTNDbk5JRWdFNjc3bndib1lENXVAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vaW1wbGljaXRncmFudC5hdXRoMC52b3JvbmVua28ubmV0IiwiaWF0IjoxNTc1NTgzNTM2LCJleHAiOjE1NzU2Njk5MzYsImF6cCI6IlI0Nzd6ZDBkaEQwSHEzQ25OSUVnRTY3N253Ym9ZRDV1IiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.aIx7LnT7aFPxmK4wCXxxGhEKrxPsGlZ3azEFykynkf6hfyb-4zCXlrqvxNjB9pk_PO8MxmKRJeoRsHLmNOvVls3tE90GQNa6DrqyWuO5PxZetkPyR56o5axt4PddZlop-mukiMYrZF2bP_gdRBZnhR2OJ4vU3qG6Rvs2k-J65tbb2oUERWps7KDC2FeTbV2bc09JtH25StNfYyHOPUR1MiDSKZbZqH3Z0bZUFHN1Ac7jznU3xUV8yEPTy7hQwOWUK5CxUSvd_s4RlTLKsHdAQWWxoDPRvxldwPXtxc7n13hwQPslJNR1ScbREcgJo4zPOcVM_uzTk1ygczLJCzvdsA\"\n\"x-sa-jwt-claim-iss\":\"https:\\/\\/voronenko.auth0.com\\/\"\n\"x-sa-jwt-claim-sub\":\"R477zd0dhD0Hq3CnNIEgE677nwboYD5u@clients\"\n\"x-sa-jwt-claim-aud\":\"https:\\/\\/implicitgrant.auth0.voronenko.net\"}\n```\n\n\n## (B) validate jwt token claims before passing info to upstream services\n\n\n\n### Activate sa-jwt-claims-validate plugin for service\n\n```\ncurl -X POST \\\n     --url {{kong}}/services/{{ m2mservice_name }}/plugins/ \\\n     -d '{\n       \"name\": \"jwt-claims-validate\",\n       \"config\": {\n         \"claims\": {\n             \"iss\": \"https://voronenko.auth0.com/\",\n             \"aud\": \"https://implicitgrant.auth0.voronenko.net\"\n         }\n       }\n     }'\n```\n\n```\ncurl -X POST \\\n     --url {{kong}}/services/{{ m2mservice_name }}/plugins/ \\\n     --data 'name=jwt-claims-validate' \\\n     --data 'validate_iss=https://voronenko.auth0.com/' \\\n     --data 'validate_aud=https://implicitgrant.auth0.voronenko.net'\n```\n\n\n## Development\nThis workflow is designed to work with the\n[`kong-pongo`](https://github.com/Kong/kong-pongo) development environment.\nCheck Makefile and travis file.\n\nPlease check out those repos `README` files for usage instructions.\n\n[badge-travis-url]: https://travis-ci.com/voronenko/kong-plugin-sa-jwt-claims-validate/branches\n[badge-travis-image]: https://travis-ci.com/voronenko/kong-plugin-sa-jwt-claims-validate.svg?branch=master\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fkong-plugin-sa-jwt-claims-validate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoronenko%2Fkong-plugin-sa-jwt-claims-validate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fkong-plugin-sa-jwt-claims-validate/lists"}