Skip to content

Latest commit

 

History

History
117 lines (106 loc) · 3.53 KB

README.md

File metadata and controls

117 lines (106 loc) · 3.53 KB

Support for JSON Web Tokens (JWTs)

NGINX Plus supports validating JWTs with ngx_http_auth_jwt_module.

The Ingress controller provides the following 4 annotations for configuring JWT validation:

  • Required: nginx.com/jwt-key: "secret" -- specifies a Secret resource with keys for validating JWTs. The keys must be stored in the jwk data field. The type of the secret must be nginx.org/jwk.
  • Optional: nginx.com/jwt-realm: "realm" -- specifies a realm.
  • Optional: nginx.com/jwt-token: "token" -- specifies a variable that contains JSON Web Token. By default, a JWT is expected in the Authorization header as a Bearer Token.
  • Optional: nginx.com/jwt-login-url: "url" -- specifies a URL to which a client is redirected in case of an invalid or missing JWT.

Example 1: the Same JWT Key for All Paths

In the following example we enable JWT validation for the cafe-ingress Ingress for all paths using the same key cafe-jwk:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    nginx.com/jwt-key: "cafe-jwk" 
    nginx.com/jwt-realm: "Cafe App"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login.example.com"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80
  • The keys must be deployed separately in the Secret cafe-jwk.
  • The realm is Cafe App.
  • The token is extracted from the auth_token cookie.
  • The login URL is https://login.example.com.

Example 2: a Separate JWT Key Per Path

In the following example we enable JWT validation for the mergeable Ingresses with a separate JWT key per path:

  • Master:

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-master
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "master"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com

  • Tea minion:

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-tea-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
    nginx.com/jwt-key: "tea-jwk" 
    nginx.com/jwt-realm: "Tea"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login-tea.cafe.example.com"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80

  • Coffee minion:

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-coffee-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
    nginx.com/jwt-key: "coffee-jwk" 
    nginx.com/jwt-realm: "Coffee"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login-coffee.cafe.example.com"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80