usage

with this middleware you can verify the access tokens against your oidc provider with the introspection endpoint and logout your session from the oidc provider.

Also this middleware sets a x-userinfo-header with a few information from the introspection endpoint and encode it with base64. For more information which fields are set see src/server.js:70

requirements

traefik
external-auth-server: https://github.com/travisghansen/external-auth-server

installation

traefik middleware

http:
  middlewares:
    jwt-verifier:
      forwardAuth:
        address: "http://jwt-verifier:8080/"
        authResponseHeadersRegex: "^X-"
        trustForwardHeader: true

add this line after `external-auth` in your traefik router

http:
  routers:
    your-router:
      middlewares:
        - external-auth
+       - jwt-verifier

docker-compose.yml example

version: '3.9'

services:
  traefik:
    image: traefik:v2.4
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro

  jwt-verifier:
    image: docker.pkg.github.com/electrofenster/jwt-verifier/jwt-verifier:latest # or use evolutio/jwt-verifier
    environment:
      DISCOVERY_URL: https://my-oidc-provider/.well-known/openid-configuration
      CLIENT_ID: my-client-id
      CLIENT_SECRET: my-client-secret
      LOG_LEVEL: debug
      LOGOUT_QUERY_PARAM: __my-fancy-logout-param
      LOGOUT_REDIRECT_URL: https://google.de
      PROTECTED_URL_PATH: /
      EXTRA_USERINFO_FIELDS: email,family_name,email_verified

when visiting /?__my-fancy-logout-param=true the middleware redirects to the oidc logout endpoint which invalidates your session and starts a redirect to https://google.de

options

you need to setup these environment variables:

DISCOVERY_URL -> is for the openid-client to get the endpoints from the oidc discovery endpoint
CLIENT_ID -> client id from the oidc client
CLIENT_SECRET -> client secret from the oidc client
LOG_LEVEL -> configure the logs from this middleware available level: info, debug
LOGOUT_QUERY_PARAM -> query param to listen for logout, default __jwt-logout
LOGOUT_REDIRECT_URL -> redirect after successful logout, needs to start with https://
PROTECTED_URL_PATH -> redirect after cookies got deleted when introspection failes for reauthentication on keycloak
EXTRA_USERINFO_FIELDS -> extra fields from introspection endpoint/accesstoken which should be in userinfo header

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
.github/workflows		.github/workflows
src		src
.env.example		.env.example
.eslintrc.cjs		.eslintrc.cjs
.gitignore		.gitignore
.prettierrc		.prettierrc
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

usage

requirements

installation

traefik middleware

add this line after `external-auth` in your traefik router

docker-compose.yml example

options

About

Uh oh!

Packages

Uh oh!

Contributors 2

Uh oh!

Languages

License

Electrofenster/jwt-verifier

Folders and files

Latest commit

History

Repository files navigation

usage

requirements

installation

traefik middleware

add this line after external-auth in your traefik router

docker-compose.yml example

options

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Packages 0

Uh oh!

Contributors 2

Uh oh!

Languages

add this line after `external-auth` in your traefik router

Packages