All Products
Search

This Product

    Alibaba Cloud Service Mesh:ParseJwtToHeader plug-in

    Document Center

    Alibaba Cloud Service Mesh:ParseJwtToHeader plug-in

    Last Updated:Feb 07, 2025

    After configuring an identity authentication or authorization policy using JWT at the ingress gateway, sometimes subsequent services require carrying user identity information in the request headers. After being enabled, the ParseJwtToHeader plug-in can parse the corresponding fields in the JWT payload received by the gateway and add them to the request header of the forwarded request based on the configuration information.

    Important

    In the Plugin Effective scope section, select Gateway Scope for this plug-in, and the corresponding gateway needs to be added. Ensure that the key configured in field_mapping exists in the JWT Payload. Otherwise, this plug-in will not take effect. Before trying this plug-in, ensure that you have at least completed steps 1 to 4 in JWT request authentication for ingress gateway in ASM to set up the test environment.

    Configuration fields

    Name

    Data type

    Required

    Default value

    Description

    issuer

    string

    Yes

    -

    Specifies the issuer of the JWT. This field value should be consistent with that of the issuer field configured in the request authentication.

    field_mapping

    string map

    No

    {}

    Specifies the field name to be parsed and the field name to be added to the request header in the format of a map:

    • key: The field name to be parsed.

    • value: The field name to be added to the request header.

    Configuration example

    Enable the plug-in

    Set the plug-in effective scope to Gateway Scope, and select the gateway ingressgateway to take effect. Configure the following parameters to enable the plug-in to parse the name field in the JWT Payload:

    issuer: testing@asm.test.io
field_mapping:
  name: x-custom-user

    Turn on the Plugin Switch.

    Test results

    Use the JWT tool, make the following modifications to the Payload, keep other parts consistent with step 4 of the reference documentation, and obtain the JWT Token.

    {
  "iss": "testing@asm.test.io",
  "name": "asm_test",
  "admin": true,
  "iat": 1516239022
}

    Execute the following command in the terminal:

    curl -H "Authorization: Bearer $TOKEN" http://{Your ASM gateway address}/headers

    Expected test results:

    {
  "headers": {
    "Accept": "*/*", 
    "Host": "120.26.**.**", 
    "User-Agent": "curl/7.79.1", 
    "X-Custom-User": "asm_test", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Envoy-Internal": "true", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=***;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}

    You can see that the request header received by httpbin contains the username information. (You may notice that the first letter of the field is capitalized. This is caused by the httpbin return logic, and the actual request header remains consistent with your input.)