All Products
Search

This Product

    Alibaba Cloud Service Mesh:ParseJwtToHeader plug-in

    Document Center

    Alibaba Cloud Service Mesh:ParseJwtToHeader plug-in

    Last Updated:Dec 01, 2025

    After you configure an identity authentication or authorization policy that uses JSON Web Token (JWT) at an ingress gateway, subsequent services may need to include user identity information in request headers. When the ParseJwtToHeader plug-in is enabled, it parses specified fields in the JWT payload received by the gateway and adds them to the request headers of the forwarded request according to your configuration.

    Important

    • For ASM 1.24 and later, RequestAuthentication supports extracting JWT payloads and adding them to request headers. We recommend that you use request authentication to process the relevant request headers.

    • For this plug-in, you must select Gateway Scope in the Plugin Effective Scope section and add the corresponding gateway. Ensure that the key configured in field_mapping exists in the JWT Payload. Otherwise, this plug-in will not take effect. Before you try this plug-in, ensure that you have completed steps one to four in Perform JWT request authentication for an ingress gateway in ASM to set up the test environment.

    Configuration fields

    Name

    Data type

    Required

    Default value

    Description

    issuer

    string

    Required

    -

    The issuer of the JWT. This field must be consistent with the issuer field configured in the request authentication.

    field_mapping

    string map

    Optional

    {}

    Specifies the field to parse and the name of the field to add to the request header in map format:

    • key: the name of the field to parse.

    • value: the name of the field to add to the request header.

    Configuration example

    Enable the plug-in

    Set the effective scope of the plug-in to Gateway Scope and select the ingressgateway gateway. Configure the following parameters to parse the name field in the JWT Payload, and then turn on the Plugin Switch.

    issuer: testing@asm.test.io
field_mapping:
  name: x-custom-user

    Test results

    1. Use the JWT tool to modify the Payload as follows. Keep the other fields consistent with those in step four of the referenced document, and then obtain the JWT token.

      {
  "iss": "testing@asm.test.io",
  "name": "asm_test",
  "admin": true,
  "iat": 1516239022
}

    2. Run the following command in the terminal:

      curl -H "Authorization: Bearer $TOKEN" http://{Your ASM gateway address}/headers

      The expected test result is:

      {
  "headers": {
    "Accept": "*/*", 
    "Host": "120.26.**.**", 
    "User-Agent": "curl/7.79.1", 
    "X-Custom-User": "asm_test", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Envoy-Internal": "true", 
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=***;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }
}

      You can see that the request header received by httpbin contains the username information. (The first letter of the field may be capitalized in the output. This is due to the httpbin return logic. The actual request header is consistent with your input.)