gtsteffaniak
[FR] Add JWT token authentication support
Description:
Please add support for JWT (JSON Web Token) authentication.
Required features:
- Ability to configure a secret key for verifying tokens
- Support for token expiration (expire time)
Hmm so FileBrowser uses jwt as the form of authentication for all methods behind the scenes.
Regardless of how you login, a jwt token is generated for the session and used to determine if the session is valid. If invalid or expired, it kicks back to password/proxy/OIDC etc.
Session token expiration can be configured in hours
The secret can be configured as well via key
Also, you can create custom jwt tokens via "API access" in settings if you have API permissions. This feature allows for custom jwt tokens with customer permissions and expiration.
Does that support the use cases you were looking to do?
Thank you! Yes, the proposed options:
- Session token expiration configurable in hours
- Secret configurable via key
fully cover my required features.
However, now I’d like to achieve login via token URL, for example: http://filebrowser?token=abs123
I have an external authorization service that redirects users with a JWT token containing the payload { userlogin: "username" }
Would it be possible for FileBrowser to accept a token in the URL and start a session automatically?
It would be great to have a separate JWT authentication feature with a configurable secret key parameter, and using the expiration time from the native payload (/exp/).
So both features already exist. I'm not sure what's missing here.
The only thing missing is using the UI with a token? Ie log into to the UI by adding your token?
That's a really simple change, that's the only thing missing.
But I won't add a feature to support external tokens, that defeats the purpose of a login, all the tokens need to be generated and signed internally.
How about this, because I'm still a big fuzzy on the detaisl.
if you can show me other significant mainstream software that has this feature that allows for parsing external tokens for login, I'll take a look to see how it could be implemented.
Thank you!
Yes, Grafana supports similar feature:
🔗 Grafana JWT authentication
It works similarly to proxy authentication, but in a more secure way.
Grafana
[auth.jwt]
enabled = true
header_name = X-JWT-Assertion
username_claim = sub
auto_sign_up = true
url_login = true
key_file = 'jwt-public-key.pem'
Proxy
const express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const ntlm = require('express-ntlm');
const privateKey = fs.readFileSync('./grafana/jwt-private-key.pem', 'utf8');
...
app.use((req, res, next) => {
const payload = {
sub: req.ntlm.UserName
};
const token = jwt.sign(payload, privateKey, { algorithm: 'ES256' });
if (req.ntlm) {
req.headers['X-JWT-Assertion'] = token;
}
next();
});
...
I tried combining OIDC with Windows NTLM, but it didn’t work out,
so I decided to handle it via proxy instead.
The token can be passed either via query or header — that’s not very important.
But passing it via query is more practical because it allows authentication without a proxy and also enables iframe embedding,
which is especially relevant when using NGINX (CE edition) that doesn’t support Win NTLM (in my case).
Thanks I can look at grafana as a valid example. What I think you want:
- Accept external tokens via
X-JWT-Assertionheader orjwtAssertionquery - Add config option to decrypt jwt tokens via a key for external tokens
- Decrypt the claim and inspect the username / group and login with that user like OIDC if claim is valid and unexpired.
And youre right it sounds like proxy auth, but rather than blindly accepting the user from the header, there's extra security by requiring a valid token that needs to be decrypted with valid info.
Yes, exactly. I’d prefer using the query parameter for external tokens, because I’m currently facing an issue when proxying requests to HTTPS targets.
Ok , grafana docs look very easy to follow. I see what you mean now from it, I'll add this to the backlog