Skip to content
This repository has been archived by the owner on Jun 30, 2024. It is now read-only.
/ cla-jwt-verifier Public archive

Simple HTTP server for verifying JWT issued by Cloudflare Access

License

Notifications You must be signed in to change notification settings

ymyzk/cla-jwt-verifier

Repository files navigation

cla-jwt-verifier

CI

Simple HTTP server for verifying JSON web tokens (JWTs) issued by Cloudflare Access. Works well with Nginx's ngx_http_auth_request_module.

When we use Cloudflare Access, no one should be able to access our origin servers directly. To secure origin servers, Cloudflare Access recommends to force all requests to our origin server through Cloudflare's network and validate JWTs. cla-jwt-verifier provides a solution to implement the latter. See How Access works - Cloudflare Access for more details.

Usage

  1. Start cla-jwt-verifier
APP_CERTS_URL=https://<account>.cloudflareaccess.com/cdn-cgi/access/certs \
APP_AUDIENCES=<audience1>,<audience2> \
RUST_LOG=cla_jwt_verifier=info \
cargo run
  1. Verify a JWT token using cla-jwt-verifier. cla-jwt-verifier always get a token from the HTTP header not HTTP Cookie.
curl -v -H 'Cf-Access-Jwt-Assertion: <token>' localhost:3030/auth
  1. cla-jwt-verifier returns HTTP 200 only when the given token is verified.

Integrating with Nginx

cla-jwt-verifier can be integrated with Nginx easily by using ngx_http_auth_request_module.

Example configuration:

location / {
  auth_request /auth;
  ...
}

location = /auth {
  internal;

  proxy_pass http://<cla-jwt-verifier>/auth;
  proxy_pass_request_body off;
  proxy_set_header Content-Length "";

  // Optional
  proxy_set_header X-Original-URI $request_uri;
}

If you're using NGINX Ingress Controller on Kubernetes, integration will be easier. Run cla-jwt-verifier on Kubernetes and set global-auth-url of ConfigMap or nginx.ingress.kubernetes.io/auth-url annotation depending on where you want to enable authentication (global or ingress).

Configurations

cla-jwt-verifier reads configurations from environment variables.

  • APP_CERTS_URL (required)
  • APP_AUDIENCES (required)
  • APP_LISTEN (optional)
  • RUST_LOG (optional)

Endpoints

  • GET /auth
    • Cf-Access-Jwt-Assertion request header: JWT to be verified (required).
    • Response status code: 200 only when the JWT is verified successfully.

Docker

The Docker image is available on Docker Hub and GitHub.

Reference