Traefik plugin for verifying JSON Web Tokens (JWT). Supports JWKS endpoints. Only supports RSA signing algorithms. Supports JWK endpoints for fetching keys remotely.
The plugin needs to be configured in the Traefik static configuration before it can be used.
The following snippet can be used as an example for the values.yaml file:
pilot:enabled: truetoken: xxxxx-xxxx-xxxxexperimental:plugins:enabled: trueadditionalArguments:- --experimental.plugins.gateway-plugin.moduleName=github.com/formancehq/gateway-plugin-auth- --experimental.plugins.gateway-plugin.version=v0.1.0
traefik \
--experimental.pilot.token=xxxx-xxxx-xxx \
--experimental.plugins.gateway-plugin.moduleName=github.com/formancehq/gateway-plugin-auth \
--experimental.plugins.gateway-plugin.version=v0.1.0
The plugin currently supports the following configuration settings: (all fields are optional)
| Name | Description |
|---|---|
| Issuer | Used to verify the issuer of the JWT |
| SigningMethodRSA | RSA signing method used to verify tokens (defaults to RS256) |
| RefreshTime | Refresh time of discovery (defaults to 15m) |
| RefreshTimeError | Refresh time of discovery in case of error (defaults to 10s) |
This example uses Kubernetes Custom Resource Descriptors (CRD) :
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: gateway-plugin
spec:
plugin:
gateway-plugin:
Issuer: http://localhost/api/auth
SigningMethodRSA: RS256
RefreshTime: 15m
RefreshTimeError: 10s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-server
labels:
app: test-server
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: default-jwt@kubernetescrd