Is there any way to extract the values of JWT claims and set them as response headers, so that the ingress controller can then pass them along to the actual backend using auth_request_set and add_header? With oauth2-proxy you can do this using the --set-xauthrequest flag for basic configuration, or using the injectResponseHeaders.*.values.*.claim alpha configuration for advanced configuration.

I'd love to see similar functionality here, because this tool seems much easier to use when different Ingress objects need different configurations; maybe something along the lines of:

nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local:8080/auth?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333&inject-claims=user,groups

By any chance would you be able to provider the Dockerfile? (perhaps place it in the root)

Thanks :)

Document how to load TLS certificate from file.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dotnet monorepo to v9 (major) (mcr.microsoft.com/dotnet/runtime-deps, mcr.microsoft.com/dotnet/sdk)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dotnet monorepo (dotnet-sdk, mcr.microsoft.com/dotnet/runtime-deps, mcr.microsoft.com/dotnet/sdk)
• chore(deps): update xunit-dotnet monorepo (xunit, xunit.runner.visualstudio)
• chore(deps): update dotnet monorepo to v8 (major) (mcr.microsoft.com/dotnet/runtime-deps, mcr.microsoft.com/dotnet/sdk)
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

When the request comes in via the Google Identity Aware Proxy (IAP), the IAP adds the jwt token using the header name x-goog-iap-jwt-assertion. Can ingress-nginx-validate-jwt add support to read the jwt token from a custom header instead of the default Authorization header?

Here is the doc with sample code. The public key used for validating the token should probably be cached. Based on the discussion here, the key expiration may be infrequent, but IAP engineer suggested refresh the keyfile on lookup failure approach.

The audience should match configured aud parameter.

Inject claim email should work, but the email value may be prefixed with the namespace: if the third party (non-Google) IdP is used. So we probably want to strip. eg:

  "email": "securetoken.google.com/my-gcp-project-123:[email protected]"

Publish a ARM64 image.

This application will not receive any more new features, please switch to https://github.com/IvanJosipovic/OIDC-Guard which contains all the features of this tool and more.

Security updates will continue to be published and are automated.

One of my applications would like to give authenticated users protected content, and unauthenticated users guest/anonymous content. It will check the special email_header.

Can ingress-nginx-validate-jwt let the request through even if jwt token validation fails?, but to blank out the email_header (to stop client from spoofing the email_header)? That will let backend application know this user is unauthenticated.

Source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/hardening-an-asp-net-container-running-on-kubernetes/ba-p/2542224

• Create Hardened Dockerfile
• Update CI/CD to build Hardened image
• Security Scan image to validate results