kong-jwt2header icon indicating copy to clipboard operation
kong-jwt2header copied to clipboard

Published 20 hours ago verified publisher icon yesinteractive

cleanup the http header matching the jwt2header pattern

Open epourail opened this issue 4 years ago • 3 comments

This improvement should fix the following issue:

Context: In case my upstream performs operations on a custom HTTP header "x-kong-jwt-claim-dummy" (in theory, extracted from the bearer)

Scenario

  1. In the input request, I add a custom header "x-kong-jwt-claim-dummy" (matching the jwt2header pattern)
  2. In the input request, the bearer token used does not have the claim "dummy"

Result The upstream will receive the "x-kong-jwt-claim-dummy" header and trigger the operations

Expected Result The upstream should not receive the header

Solution To improve the security, you should cleanup the HTTP headers of the input request matching the pattern "x-kong-jwt-claim"

epourail avatar Jan 18 '21 15:01 epourail

Hi @epourail ! There is an option to strip_claims so that the headers are not sent to the upstream. By default it is set to false. Set to true and this should do what you want. Please confirm.

nikirago avatar Jan 18 '21 18:01 nikirago

I don't want to strip the claim once extracted. I want to be sure the HTTP header comes from extracted claim (via the jwt2header plugin) and it is not a custom header set by the client.

epourail avatar Jan 19 '21 08:01 epourail

Understood. Will update to strip any incoming x-kong-jwt-claim headers that are sent from consuming entity.

nikirago avatar Jan 20 '21 16:01 nikirago