Skip to content

Electrofenster/jwt-verifier

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

.github/workflows

.github/workflows

 
 

src

src

 
 

.env.example

.env.example

 
 

.eslintrc.cjs

.eslintrc.cjs

 
 

.gitignore

.gitignore

 
 

.prettierrc

.prettierrc

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

usage

with this middleware you can verify the access tokens against your oidc provider with the introspection endpoint and logout your session from the oidc provider.

Also this middleware sets a x-userinfo-header with a few information from the introspection endpoint and encode it with base64. For more information which fields are set see src/server.js:70

requirements

installation

traefik middleware

http:
  middlewares:
    jwt-verifier:
      forwardAuth:
        address: "http://jwt-verifier:8080/"
        authResponseHeadersRegex: "^X-"
        trustForwardHeader: true

add this line after external-auth in your traefik router

http:
  routers:
    your-router:
      middlewares:
        - external-auth
+       - jwt-verifier

docker-compose.yml example

version: '3.9'

services:
  traefik:
    image: traefik:v2.4
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro

  jwt-verifier:
    image: docker.pkg.github.com/electrofenster/jwt-verifier/jwt-verifier:latest # or use evolutio/jwt-verifier
    environment:
      DISCOVERY_URL: https://my-oidc-provider/.well-known/openid-configuration
      CLIENT_ID: my-client-id
      CLIENT_SECRET: my-client-secret
      LOG_LEVEL: debug
      LOGOUT_QUERY_PARAM: __my-fancy-logout-param
      LOGOUT_REDIRECT_URL: https://google.de
      PROTECTED_URL_PATH: /
      EXTRA_USERINFO_FIELDS: email,family_name,email_verified

when visiting /?__my-fancy-logout-param=true the middleware redirects to the oidc logout endpoint which invalidates your session and starts a redirect to https://google.de

options

you need to setup these environment variables:

  • DISCOVERY_URL -> is for the openid-client to get the endpoints from the oidc discovery endpoint
  • CLIENT_ID -> client id from the oidc client
  • CLIENT_SECRET -> client secret from the oidc client
  • LOG_LEVEL -> configure the logs from this middleware available level: info, debug
  • LOGOUT_QUERY_PARAM -> query param to listen for logout, default __jwt-logout
  • LOGOUT_REDIRECT_URL -> redirect after successful logout, needs to start with https://
  • PROTECTED_URL_PATH -> redirect after cookies got deleted when introspection failes for reauthentication on keycloak
  • EXTRA_USERINFO_FIELDS -> extra fields from introspection endpoint/accesstoken which should be in userinfo header

About

No description or website provided.

Topics

oauth oauth2 reverse-proxy openid openid-connect traefik openidconnect-client authentication-middleware traefik-ingress traefik-v2 forward-auth traefik-docker

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Packages 1

 

Contributors 2

  •  
  •  

Languages