Ingress-nginx: feature request: JWT Authentication

Created on 25 Dec 2017 · 13Comments · Source: kubernetes/ingress-nginx

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
JWT

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

The ingress via Nginx should be able to authenticate JWT tokens passed in the HTTP header via a "Authorization: Bearer" format.

Source

skunkwerk

👍4

Most helpful comment

any public place this is being tracked? :)

Not yet, I will post a comment here when available

aledbf on 13 Apr 2018

👍9

All 13 comments

Closing. Please check this comment https://github.com/kubernetes/ingress-nginx/issues/1676#issuecomment-344671430

aledbf on 25 Dec 2017

@aledbf one of the advantages (in the case of JWT) is that you get to save an additional hop for every request which can end up being a bottleneck, so going to an external service to do that for you defeats that purpose. we've extended this project by adding a simple JWT script + some custom annotations to control the auth policy per ingress. not sure about ldap or others, but this was a relatively small change. given the popularity of JWT and the current lack of a working plugin system, is this decision final? if not I'd be happy to draft a PR.

tomxor on 13 Apr 2018

👍7

given the popularity of JWT and the current lack of a working plugin system, is this decision final?

No :)

if not I'd be happy to draft a PR.

Please wait, we are going to revamp the auth support in the controller.

aledbf on 13 Apr 2018

Please wait, we are going to revamp the auth support in the controller.

any public place this is being tracked? :)

tomxor on 13 Apr 2018

any public place this is being tracked? :)

Not yet, I will post a comment here when available

aledbf on 13 Apr 2018

👍9

@aledbf What's the status here? JWT support just landed in Envoy https://github.com/envoyproxy/envoy/issues/2514

derekperkins on 20 Sep 2018

any update with regards to this feature request? I don't want to get stuck with NGINX plus for this...

marcellisdon on 19 Oct 2018

@aledbf - can you please clarify: "we are going to revamp the auth support in the controller" ?
Were you referring to auth-url (and this issue should be closed) or is there something else?

itaysk on 10 Mar 2019

"we are going to revamp the auth support in the controller"

One of the options will be using a custom plugin (to be written) once https://github.com/kubernetes/ingress-nginx/pull/3807 is merged.
Right now you can use something like https://github.com/vouch/vouch-proxy#running-from-docker

aledbf on 10 Mar 2019

@itaysk as I needed JWT and jwt based routing, I have created simple python service that makes authentication, and returns claims in headers https://github.com/veonua/jwt_auth
auth-url should refer to this service address

veonua on 2 Apr 2019

Now with https://github.com/kubernetes/ingress-nginx/pull/3807 merged, anyone already started working on a JWT auth plugin?

discordianfish on 9 Apr 2019

👀1

I built a small JWT signature/claims validator that is usable with the external-auth annotation: https://github.com/carlpett/nginx-subrequest-auth-jwt
Not as nice as a built-in solution, but might be useful to someone else.