https://github.com/curityio/sender-constrained-token-plugin

An API gateway plugin for verifying Certificate-Bound Access Tokens (RFC8705)
https://github.com/curityio/sender-constrained-token-plugin

api-gateway jwt lua nginx proof-of-possession use-case zero-trust

Last synced: 2 months ago
JSON representation

An API gateway plugin for verifying Certificate-Bound Access Tokens (RFC8705)

• Host: GitHub
• URL: https://github.com/curityio/sender-constrained-token-plugin
• Owner: curityio
• License: apache-2.0
• Created: 2021-10-05T09:02:46.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2022-04-15T11:14:55.000Z (about 4 years ago)
• Last Synced: 2025-07-12T12:48:03.766Z (11 months ago)
• Topics: api-gateway, jwt, lua, nginx, proof-of-possession, use-case, zero-trust
• Language: Lua
• Homepage: https://curity.io/resources/learn/mutual-tls-api/
• Size: 20.5 KB
• Stars: 0
• Watchers: 4
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Sender Constrained Token Plugin

[![Quality](https://img.shields.io/badge/quality-experiment-red)](https://curity.io/resources/code-examples/status/)

[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)

A LUA plugin for verifying sender constrained tokens in the reverse proxy.

## Overview

Sender-constrained tokens are tokens that are bound to a certain client. These tokens cannot - in contrary to ordinary Bearer tokens - be used by a malicious client to access protected resources.

In financial-grade systems, APIs are secured by Mutual TLS, and [Certificate Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html) are used.\

The client certificate used in API requests must then match that used at the time of authentication.

[Demonstrating Proof-of-Possession (DPoP)](https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/) or [OAuth 2.0 Token Binding](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding) are other mechanism for sender constraining tokens though not supported by this plugin.

## Plugin

This plugin makes the above token binding checks in an NGINX based reverse proxy.\

See the following article for further details on how this plugin is used:

- [Mutual TLS APIs Code Example](https://curity.io/resources/learn/mutual-tls-api/)

### Configuration Parameters

`type`: Specify which type of constraint the token has. Currently, the only supported value is `certificate-bound`.

### Running the Plugin

The following configuration at the reverse proxy will load and execute the plugin:

```

local tokenConfig = {

  type = 'certificate-bound'

}

local senderConstrainedTokenPlugin = require 'sender-constrained-token-plugin'

senderConstrainedTokenPlugin.execute(tokenConfig)

```

## More Information

Please visit [curity.io](https://curity.io/) for more information about the Curity Identity Server.