I just pushed an initial (very simple) generic JWT authentication plugin policy to master. It should work with any JWT provider! Let me know how it works for you.
Update on 23/01/07: The JWT plugin has now been released to Maven, you can install it via:
- G
-
io.apiman.plugins
- A
-
apiman-plugins-jwt-policy
- V
-
1.2.9.Final (or whatever the latest/matching version of apiman is)
Old Instructions:
Build and install
To try it out immediately you will need to build it from source. Just check out the apiman/apiman-plugins repo and execute:
mvn clean install
The plugin coordinates will be:
- G
-
io.apiman.plugins
- A
-
apiman-plugins-jwt-policy
- V
-
1.2.9-SNAPSHOT
It isn’t yet as feature-rich as the Keycloak plugin, but you can:
-
Require JWT.
-
Require claims (e.g. sub = foo).
-
Require transport security (TLS, SSL).
-
Require JWT be cryptographically signed (aka. JWS).
-
Validate JWT against a provided public key.
-
Remove auth tokens (prevent them reaching the backend).
-
Set maximum clock skew.
I’ll expand on this in the near future to add some commonly-used features from the Keycloak plugin:
-
Extraction of roles for authorization
-
Forward token fields as headers (e.g. X-Sub = sub)✓
How to use it
Either:
-
Set the
Authorizationheader asAuthorization: Bearer <B64 encoded token> -
Set the
access_tokenquery parameter asexample.com?access_token=<B64 encoded token>