Re: [PR] feat(jwt-auth): support configuring `key_claim_name` [apisix]

Sun, 22 Sep 2024 05:42:11 -0700 


mikyll commented on code in PR #11282:
URL: https://github.com/apache/apisix/pull/11282#discussion_r1770546016


##########
apisix/plugins/jwt-auth.lua:
##########
@@ -247,9 +251,9 @@ local function get_rsa_or_ecdsa_keypair(conf)
 end
 
 
-local function get_real_payload(key, auth_conf, payload)
+local function get_real_payload(key, auth_conf, payload, key_claim_name)
     local real_payload = {
-        key = key,
+        [key_claim_name] = key,

Review Comment:
   @shreemaan-abhishek I'm not sure if I understood your comment correctly, in 
case I didn't please correct me :)
   
   ---
   
   The purpose of `key_claim_name` parameter is just to tell **in which claim 
the key must be stored**. 
   
   The reason why I also made changes to `get_real_payload()` and the like, was 
to provide a way to **generate a signed token** with a custom key claim name, 
through the public API (otherwise I would have needed to make a test case with 
a hardcoded token, see [**line 182** of commit 
2af7e156aa07ca29cf19f4934daa605eb0571902](https://github.com/apache/apisix/pull/11282/commits/2af7e156aa07ca29cf19f4934daa605eb0571902#diff-86d48d79e9b5631994cfc66c95b0dca12a2b03aa242d9e47092a746dc720734fR182)
 for reference).
   
   Addressing your comment, if `key_claim_name` was "exp", then no, the value 
shouldn't be the expiry time, but still the key. However, that would cause some 
problem:
   - even though according to JWT standard, [RFC 
7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4), the `exp` 
claim is optional, the **jwt-auth** plugin requires it to validate the token, 
and returns `401` if it's not present (at [this 
line](https://github.com/apache/apisix/blob/2fcfbd83e22301aea4f027738d628f19c262a458/apisix/plugins/jwt-auth.lua#L382)):
     ```bash
     [warn] 64#64: *16957 [lua] jwt-auth.lua:442: phase_func(): failed to 
verify jwt: Missing one of claims - [ nbf, exp ].,
     ```
   - setting `key_claim_name` to "exp" is not feasible, since that would 
generate a token with duplicated `exp` claim.
   
   At most, we could handle this case by preventing the usage of "exp" and 
"nbf" as `key_claim_name`, what do you think?
    



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to