Open ID Connect token validator written in go for light speed validation
This package aims to be bound to the nginx auth_request(http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) to validate incoming JWT Tokens in the Authorization header.
It's validating the token's signature thanks to the exposed OIDC jwks endpoint as well as the expiry date, audience and issuer.
This package has been built to integrate a kubernetes environment and to work with the default nginx ingress.
By putting this line in the Ingress you can it protect with a mandatory Authorization Bearer token.
nginx.ingress.kubernetes.io/auth-url: http://GO-OTV-SERVICE.NAMESPACE.svc.cluster.local/validateIf you have public routes to handle, just create a new Ingress for the same host without the previous line.
By putting this line in the Ingress you can pass the auth module the generated x-request-id from the parent client request.
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Parent-Request-Id $request_id;It will prefix the request logs.
https://golang.org/doc/install
Run the project:
go build
AUD="YOUR_AUDIENCE" ISS="YOUR_ISSUER" JWKS_ENDPOINT="YOUR_ISSUER_JWKS_CERT_ENDPOINT" ./go-otvThe docker way:
docker build -t go-otv .
docker run -e AUD="YOUR_AUDIENCE" -e ISS="YOUR_ISSUER" -e JWKS_ENDPOINT="YOUR_ISSUER_JWKS_CERTS_ENDPOINT" -p 8000:8000 -t go-otv| Key | Commentary | Default value |
|---|---|---|
| AUD | Possible Audiences separated by a , | "" |
| ISS | Token's Issuer | "" |
| JWKS_ENDPOINT | The ISSUER endpoint | "" |
Heavily based on the great work of lestrrat-go:
https://github.com/lestrrat-go/jwx
The best JW* package.
Made in 🇫🇷
With ❤️
And 🥐
(And 🍷)