bisakhmondal commented on a change in pull request #5745:
URL: https://github.com/apache/apisix/pull/5745#discussion_r766628743
##########
File path: apisix/plugins/jwt-auth.lua
##########
@@ -28,7 +29,7 @@ local ngx_time = ngx.time
local sub_str = string.sub
local plugin_name = "jwt-auth"
local pcall = pcall
-
+local jwt_vault_prefix = "jwt-auth/keys/"
Review comment:
Thanks for the suggestion. Addressed
##########
File path: conf/config-default.yaml
##########
@@ -281,6 +281,17 @@ etcd:
# the default value is true, e.g. the
certificate will be verified strictly.
#sni: # the SNI for etcd TLS requests. If missed,
the host part of the URL will be used.
+# storage backend for sensitive data storage and retrieval
+vault:
Review comment:
Done
##########
File path: docs/en/latest/plugins/jwt-auth.md
##########
@@ -110,6 +117,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H
'X-API-KEY: edd1c9f034335f13
}'
```
+### Enable jwt-auth with Vault Compatibility
+
+Sometimes, it's quite natural in production to have a centralized key
management solution like vault where you don't have to update the APISIX
consumer each time some part of your organization changes the signing secret
key (secret for HS256/HS512 or public_key and private_key for RS256) and/or for
privacy concerns you don't want to use the key through APISIX admin APIs.
APISIX got you covered here. The `jwt-auth` is capable of referencing keys from
vault.
+
+**Note**: For early version of this integration support, the plugin expects
the key name of secrets stored into the vault path is among [ `secret`,
`public_key`, `private_key` ] to successfully use the key. In next release we
are going to add the support of referencing custom named keys.
+
+To enable vault compatibility, just add the empty vault object inside the
jwt-auth plugin.
+
+1. You have stored HS256 signing secret inside vault and you want to use it
for jwt signing and verification.
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "key-1",
+ "vault": {}
+ }
+ }
+}'
+```
+
+Here the plugin looks up for key `secret` inside vault path (`<vault.prefix
from default-conf.yaml>/jwt-auth/keys/key-1`) for key `key-1` mentioned in the
consumer config and uses it for subsequent signing and jwt verification. If the
key is not found in the same path, the plugin logs error and fails to perform
jwt authentication.
Review comment:
Done
##########
File path: docs/en/latest/plugins/jwt-auth.md
##########
@@ -51,6 +55,9 @@ For more information on JWT, refer to [JWT](https://jwt.io/)
for more informatio
| algorithm | string | optional | "HS256" | ["HS256", "HS512",
"RS256"] | encryption algorithm.
|
| exp | integer | optional | 86400 | [1,...]
| token's expire time, in seconds
|
| base64_secret | boolean | optional | false |
| whether secret is base64 encoded
|
+| vault | dictionary | optional | | |
whether vault to be used for secret (secret for HS256/HS512 or public_key and
private_key for RS256) storage and retrieval. The plugin by default uses the
vault path as `kv/apisix/jwt-auth/keys/<jwt-auth.key>` for secret retrieval. |
+
+**Note**: To enable vault integration, first visit the
[config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml)
and update the yaml vault attributes with your vault server configuration.
Review comment:
ACK
##########
File path: docs/en/latest/plugins/jwt-auth.md
##########
@@ -51,6 +55,9 @@ For more information on JWT, refer to [JWT](https://jwt.io/)
for more informatio
| algorithm | string | optional | "HS256" | ["HS256", "HS512",
"RS256"] | encryption algorithm.
|
| exp | integer | optional | 86400 | [1,...]
| token's expire time, in seconds
|
| base64_secret | boolean | optional | false |
| whether secret is base64 encoded
|
+| vault | dictionary | optional | | |
whether vault to be used for secret (secret for HS256/HS512 or public_key and
private_key for RS256) storage and retrieval. The plugin by default uses the
vault path as `kv/apisix/jwt-auth/keys/<jwt-auth.key>` for secret retrieval. |
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
