{"id":17779594,"url":"https://github.com/ymyzk/cla-jwt-verifier","last_synced_at":"2025-03-15T20:31:02.682Z","repository":{"id":37177907,"uuid":"253268124","full_name":"ymyzk/cla-jwt-verifier","owner":"ymyzk","description":"Simple HTTP server for verifying JWT issued by Cloudflare Access","archived":true,"fork":false,"pushed_at":"2023-02-04T01:00:05.000Z","size":172,"stargazers_count":7,"open_issues_count":8,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-13T14:49:57.019Z","etag":null,"topics":["cloudflare-access","docker","jwt","proxy","reqwest","rust","warp"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ymyzk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-05T15:32:39.000Z","updated_at":"2024-07-25T00:44:41.000Z","dependencies_parsed_at":"2023-02-12T06:10:12.276Z","dependency_job_id":null,"html_url":"https://github.com/ymyzk/cla-jwt-verifier","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ymyzk%2Fcla-jwt-verifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ymyzk%2Fcla-jwt-verifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ymyzk%2Fcla-jwt-verifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ymyzk%2Fcla-jwt-verifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ymyzk","download_url":"https://codeload.github.com/ymyzk/cla-jwt-verifier/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243790950,"owners_count":20348378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare-access","docker","jwt","proxy","reqwest","rust","warp"],"created_at":"2024-10-27T01:04:42.569Z","updated_at":"2025-03-15T20:31:02.294Z","avatar_url":"https://github.com/ymyzk.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cla-jwt-verifier\n![CI](https://github.com/ymyzk/cla-jwt-verifier/workflows/CI/badge.svg)\n\nSimple HTTP server for verifying JSON web tokens (JWTs) issued by [Cloudflare Access](https://teams.cloudflare.com/access/).\nWorks well with Nginx's [ngx_http_auth_request_module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).\n\nWhen we use Cloudflare Access, no one should be able to access our origin servers directly.\nTo secure origin servers, Cloudflare Access recommends to force all requests to our origin server through Cloudflare's network and validate JWTs.\ncla-jwt-verifier provides a solution to implement the latter.\nSee [How Access works - Cloudflare Access](https://developers.cloudflare.com/access/about/how-access-works/) for more details.\n\n## Usage\n1. Start cla-jwt-verifier\n```shell\nAPP_CERTS_URL=https://\u003caccount\u003e.cloudflareaccess.com/cdn-cgi/access/certs \\\nAPP_AUDIENCES=\u003caudience1\u003e,\u003caudience2\u003e \\\nRUST_LOG=cla_jwt_verifier=info \\\ncargo run\n```\n2. Verify a JWT token using cla-jwt-verifier. cla-jwt-verifier always get a token from the HTTP header not HTTP Cookie.\n```shell\ncurl -v -H 'Cf-Access-Jwt-Assertion: \u003ctoken\u003e' localhost:3030/auth\n```\n3. cla-jwt-verifier returns HTTP 200 only when the given token is verified.\n\n## Integrating with Nginx\ncla-jwt-verifier can be integrated with Nginx easily by using [ngx_http_auth_request_module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).\n\nExample configuration:\n```\nlocation / {\n  auth_request /auth;\n  ...\n}\n\nlocation = /auth {\n  internal;\n\n  proxy_pass http://\u003ccla-jwt-verifier\u003e/auth;\n  proxy_pass_request_body off;\n  proxy_set_header Content-Length \"\";\n\n  // Optional\n  proxy_set_header X-Original-URI $request_uri;\n}\n```\n\nIf you're using [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/) on Kubernetes, integration will be easier.\nRun cla-jwt-verifier on Kubernetes and set [global-auth-url](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#global-auth-url) of ConfigMap or [nginx.ingress.kubernetes.io/auth-url](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication) annotation depending on where you want to enable authentication (global or ingress).\n\n## Configurations\ncla-jwt-verifier reads configurations from environment variables.\n\n- `APP_CERTS_URL` (required)\n- `APP_AUDIENCES` (required)\n- `APP_LISTEN` (optional)\n- `RUST_LOG` (optional)\n\n## Endpoints\n- GET `/auth`\n  - `Cf-Access-Jwt-Assertion` request header: JWT to be verified (required).\n  - Response status code: 200 only when the JWT is verified successfully.\n\n## Docker\nThe Docker image is available on [Docker Hub](https://hub.docker.com/repository/docker/ymyzk/cla-jwt-verifier) and\n[GitHub](https://github.com/users/ymyzk/packages/container/package/cla-jwt-verifier).\n\n## Reference\n- [Validating JSON Web Tokens - Cloudflare Access](https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/)\n- [RFC 7517 - JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517)\n- [RFC 7519 - JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fymyzk%2Fcla-jwt-verifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fymyzk%2Fcla-jwt-verifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fymyzk%2Fcla-jwt-verifier/lists"}