搜索由 
提供
提供php-istio / jwt-authentication-bundle
此包已被废弃,不再维护。未建议替代包。
Symfony 扩展包,用于帮助验证由 Istio Envoy 代理发送的 JWT 负载。
v2.0.0
2022-07-29 08:28 UTC
Requires
- php: >=8.0
- php-istio/jwt-payload-extractor: ^v1.1.1
- symfony/psr7-pack: ^1.0
- symfony/security-bundle: ^6.0
Requires (Dev)
- symfony/browser-kit: ^6.0
- symfony/console: ^6.0
- symfony/framework-bundle: ^6.0
- symfony/phpunit-bridge: ^6.0
README
关于
该 Symfony 扩展包为 Istio 代理转发的请求提供 JWT 认证。
要使用此扩展包,请确保您的 K8S 应用程序 pod 注入了 Istio 代理,并已配置 RequestAuthentication CRD,否则您的应用程序 不安全。
此扩展包与优秀的 Lexik JWT Authentication 扩展包的主要区别在于它 不 验证 JWT 令牌,因为 Istio 代理在将请求转发到您的应用程序之前已经进行了验证,因此您的应用程序无需持有公钥并重复验证 JWT 令牌。
要求
PHP 版本
- PHP 8.0
Symfony 版本
- Symfony 5.3
安装
composer require php-istio/jwt-authentication-bundle
配置
启用 认证管理器 设置
# config/packages/security.yaml security: enable_authenticator_manager: true # ...
然后,配置您的 config/packages/security.yaml
security: enable_authenticator_manager: true access_control: - path: ^/ roles: IS_AUTHENTICATED_FULLY firewalls: #... main: stateless: true istio_jwt_authenticator: rules: - issuer: issuer_1 # Required user_identifier_claim: sub #Default is `sub` claim origin_token_headers: [authorization] #Required at least once of `origin_token_headers`, `origin_token_query_params` or `base64_headers`. Use this option when your Istio JWTRule CRD using `forwardOriginalToken`. origin_token_query_params: [token] #Use this option when your Istio JWTRule CRD using `forwardOriginalToken` and your JWT token in query param. base64_headers: [x-istio-jwt-payload] # Use this option when your Istio JWTRule CRD using `outputPayloadToHeader`. prefix: "Bearer " #Token prefix of origin token passthrough by default blank ("") if not set.
如果您的应用程序有多个发行者
#.... main: stateless: true istio_jwt_authenticator: rules: - issuer: issuer_1 origin_token_headers: [authorization] prefix: "Bearer " - issuer: issuer_2 user_identifier_claim: aud base64_headers: [x-istio-jwt-payload] #....
使用方法
#!/bin/bash #Generate mock JWT token forwarded by Istio sidecar payload='{"issuer":"issuer_1", "sub": "test"}'; base64_payload=$(echo -n $payload | base64 -); origin_token=$(echo "header.$base64_payload.signature"); #You can test authenticate origin token with curl: curl -H "Authorization: Bearer $origin_token" https:/// #Or authenticate base64 payload header: curl -H "X-Istio-JWT-Payload: $base64_payload" https:///