feat(JWT Plugin) Inject claims to request header for upstream servers

[maudrid]

Summary

JWT Plugin - Inject claims from token into request header.

The user can now configure any of the claims contained in the verified token to inject into the request header "x-{claim_name}" before it is forwarded to the API.

This allows the API to know details of the requester (eg. user_name) without having to decode the token.

This is meant for services that are secure behind the reverse proxy.

Full changelog

• Added a new field (the claims that should be injected) to the jwt plugin configuration (schema) and added migration code to set defaults for postgres and casandra.

• Added the code that injects the configured claims into the header in the handler.

[maudrid]

Question, I have made the same code change for the master branch. Should I do a pull request for that?

[maudrid]

I can't tell if the CI failure is because of my code. Can someone please help to see if I need to change anything?

[thibaultcha]

I have made the same code change for the master branch. Should I do a pull request for that?

At this point in the release cycle, we would be more comfortable releasing this as part of 0.14, which means that targeting the next branch is appropriate. Note also that because of the migration, it is required to target the next branch anyway.

[thibaultcha]

Oops, mis-clicked. At least this should answer your second question:

I can't tell if the CI failure is because of my code.

Likely not, since you did not add tests. But the CI will re-run now, and ideally get rid of any spurious failures.

[bungle]

You can also have two arrays: inject_claims and inject_headers

With the first you give claim names and with second you give header names in which to inject claim values.

[maudrid]

I took @bungle 's advice and made it possible to pick the name of the header. It works in the same way as the request/response transformer plugins, by using the format claimName:headerName.

The tests are still outstanding. This is my first time using Lua and contributing to this project, so it may take some time to do the tests. All other raised issues should be resolved now.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

:x: stefan.badenhorst
:x: maudrid

---

stefan.badenhorst seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[tklein]

Hi, I'd like to know how we could solve the outstanding issue to get this merged.

We'd love to have that feature also...

TIA

[maudrid]

Hi, I'd like to know how we could solve the outstanding issue to get this merged.

We'd love to have that feature also...

TIA

Honestly I don't have the time or even know where to begin to please the merge gods. This was done on such an old version of Kong. At my company we just have our own fork with this one change in it.

If I had to do this again, I would just make this a separate extension that can be build without having to merge it into the main line. The changes are quite trivial to do, so maybe have a look at what was done and decide how you want to continue.

[tklein]

@maudrid : Thanks for the quick reply.

Offerering praise and sacrifices to the gods of merge doesn't them to help though...

I'll check out how to proceed and start digging into the changes first.

[hbagdi]

@maudrid Would it be possible to rebase this once more? Apologies for the delay on our side.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.