feat: add configurable header opts for JWKS request

Author: camronkhan

README.md

@@ -52,6 +52,7 @@ PayloadFields | The field-name in the JWT payload that are required (e.g. `exp`)
 Required | Is `Authorization` header with JWT token required for every request.
 Keys | Used to validate JWT signature. Multiple keys are supported. Allowed values include certificates, public keys, symmetric keys. In case the value is a valid URL, the plugin will fetch keys from the JWK endpoint.
 Alg | Used to verify which PKI algorithm is used in the JWT.
+JwksHeaders | Map used to add headers to a JWKS request (e.g. credentials for a 3rd party JWKS service).
 JwtHeaders | Map used to inject JWT payload fields as HTTP request headers.
 OpaHeaders | Map used to inject OPA result fields as HTTP request headers. Populated if request is allowed by OPA. Only 1st level keys from OPA document are supported.
 OpaResponseHeaders | Map used to inject OPA result fields as HTTP response headers. Populated if OPA response has `OpaAllowField` present, regardless of value. Only 1st level keys from OPA document are supported.

jwt.go

@@ -38,6 +38,7 @@ type Config struct {
 	Alg                string
 	OpaHeaders         map[string]string
 	JwtHeaders         map[string]string
+	JwksHeaders        map[string]string
 	OpaResponseHeaders map[string]string
 	OpaHttpStatusField string
 	JwtCookieKey       string
@@ -55,6 +56,7 @@ func CreateConfig() *Config {
 
 // JwtPlugin contains the runtime config
 type JwtPlugin struct {
+	httpClient         *http.Client
 	next               http.Handler
 	opaUrl             string
 	opaAllowField      string
@@ -67,6 +69,7 @@ type JwtPlugin struct {
 	alg                string
 	opaHeaders         map[string]string
 	jwtHeaders         map[string]string
+	jwksHeaders        map[string]string
 	opaResponseHeaders map[string]string
 	opaHttpStatusField string
 	jwtCookieKey       string
@@ -163,6 +166,7 @@ type Response struct {
 // New creates a new plugin
 func New(_ context.Context, next http.Handler, config *Config, _ string) (http.Handler, error) {
 	jwtPlugin := &JwtPlugin{
+		httpClient:         &http.Client{},
 		next:               next,
 		opaUrl:             config.OpaUrl,
 		opaAllowField:      config.OpaAllowField,
@@ -174,6 +178,7 @@ func New(_ context.Context, next http.Handler, config *Config, _ string) (http.H
 		keys:               make(map[string]interface{}),
 		opaHeaders:         config.OpaHeaders,
 		jwtHeaders:         config.JwtHeaders,
+		jwksHeaders:        config.JwksHeaders,
 		opaResponseHeaders: config.OpaResponseHeaders,
 		opaHttpStatusField: config.OpaHttpStatusField,
 		jwtCookieKey:       config.JwtCookieKey,
@@ -231,7 +236,15 @@ func (jwtPlugin *JwtPlugin) FetchKeys() {
 	logInfo(fmt.Sprintf("FetchKeys - #%d jwkEndpoints to fetch", len(jwtPlugin.jwkEndpoints))).
 		print()
 	for _, u := range jwtPlugin.jwkEndpoints {
-		response, err := http.Get(u.String())
+		req, err := http.NewRequest("GET", u.String(), nil)
+		if err != nil {
+			logWarn("FetchKeys - Failed to create request").withUrl(u.String()).print()
+			continue
+		}
+		for headerKey, headerValue := range jwtPlugin.jwksHeaders {
+			req.Header.Add(headerKey, headerValue)
+		}
+		response, err := jwtPlugin.httpClient.Do(req)
 		if err != nil {
 			logWarn("FetchKeys - Failed to fetch keys").withUrl(u.String()).print()
 			continue

jwt_test.go

@@ -1122,3 +1122,68 @@ func TestTokenFromQueryConfiguredButNotInURL(t *testing.T) {
 		t.Fatal("next.ServeHTTP was called, but should not")
 	}
 }
+
+func TestJwksHeaders(t *testing.T) {
+	tests := []struct {
+		name        string
+		jwksHeaders map[string]string
+		expected    map[string]string
+	}{
+		{
+			name:        "No Headers",
+			jwksHeaders: map[string]string{},
+			expected:    map[string]string{},
+		},
+		{
+			name:        "One Header",
+			jwksHeaders: map[string]string{"Content-Type": "application/json"},
+			expected:    map[string]string{"Content-Type": "application/json"},
+		},
+		{
+			name: "Multiple Headers",
+			jwksHeaders: map[string]string{
+				"Authorization": "Bearer token",
+				"User-Agent":    "Traefik",
+			},
+			expected: map[string]string{
+				"Authorization": "Bearer token",
+				"User-Agent":    "Traefik",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := Config{
+				JwksHeaders: tt.jwksHeaders,
+			}
+			ctx := context.Background()
+
+			jwtPlugin, err := New(ctx, nil, &cfg, "test-traefik-jwt-plugin")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				for key, val := range tt.expected {
+					if r.Header.Get(key) != val {
+						t.Errorf("Expected header %s to be %s, got %s", key, val, r.Header.Get(key))
+					}
+				}
+			}))
+			defer ts.Close()
+
+			jwtPlugin.(*JwtPlugin).jwkEndpoints = append(jwtPlugin.(*JwtPlugin).jwkEndpoints, mustParseUrl(ts.URL))
+
+			jwtPlugin.(*JwtPlugin).FetchKeys()
+		})
+	}
+}
+
+func mustParseUrl(urlStr string) *url.URL {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}