On 30.04.21 02:01, Aleksandar Lazic wrote:
Hi. I think about to integrate the "l8w8jwt_decode(...)" into HAProxy. https://github.com/GlitchedPolygons/l8w8jwt The RS* methods requires some "RSA_PRIVATE_KEY[] = ..." and I'm not sure what's the best method for a sample to read such a key in HAProxy converters. My suggestion for the converter name. jwt_verify(alg,key) : boolean Example call: http-request set-var(txn.jwt_verified) req.hdr(Authorization),ub64dec,jwt_verify(alg,HSKEY) http-request set-var(txn.jwt_verified) req.hdr(Authorization),ub64dec,jwt_verify(alg,"path_to_RS_PEM") Any opinions?
Some more examples and questions. I have such a sequence in mind. ``` # check if the request have a Bearer Token # https://tools.ietf.org/html/rfc6750 acl bearer_header_exist if req.hdr(Authorization) -m beg Bearer # Get the right HMAC or PEM-File into the variable jwt_verify_value http-request set-var(txn.jwt_verify_value) req.hdr(host),map_str(jwt_pem.lst),read_file_to_string if bearer_header_exist # Extract the JSON Web Algorithms (JWA) from Bearer Token. http-request set-var(txn.jwt_algo) req.hdr(Authorization),word(1,.),ub64dec,json_query('$.alg') if bearer_header_exist # Verify the JWT Token with the right HMAC and PEM http-request set-var(txn.jwt_check) req.hdr(Authorization),ub64dec,jwt_verify(%[var(txn.jwt_algo)],%[var(txn.jwt_verify_value)]) \ if bearer_header_exist { jwt_valid_algo(%[var(txn.jwt_algo)]) } ``` jwt_valid_algo will be similar like fix_is_valid. jwt_valid_algo will check if the '$.alg' is a supported JSON Web Algorithms Do I need to call some functions in the converters (jwt_verify,jwt_valid_algo) to lookup '%[var(...)]'? I haven't found a function which do the read_file_to_string, does such a function exist in HAProxy? Can I create a $MAP or $DATA_STRUCTURE to prevent to read the file on very request? Is there a max size of a variable in HAProxy? Any feedback is very welcome. Regards Alex
