README

About

This library help to extract trusted JWT payload from request forwarded by Istio Sidecar. It's based on PSR-7 Server Request Message ensures interoperability with other packages and frameworks.

Requirements

PHP versions:

• PHP 8.0

Installation

First install this library:

composer require php-istio/jwt-payload-extractor

And choice one of PSR-7 implementation package (ex: nyholm/psr7-server):

composer require nyholm/psr7 nyholm/psr7-server

Usage

Istio JWTRules part of RequestAuthentication CRD (Custom Resource Definition) support forward origin token (forwardOriginalToken option), or just only base64 payload via specify header name (outputPayloadToHeader option), depend on your strategy you need to select method to extract your trusted JWT payload from forwarded request:

• Extract from origin token in header:

<?php
$psr17Factory = new \Nyholm\Psr7\Factory\Psr17Factory();

$creator = new \Nyholm\Psr7Server\ServerRequestCreator(
    $psr17Factory, // ServerRequestFactory
    $psr17Factory, // UriFactory
    $psr17Factory, // UploadedFileFactory
    $psr17Factory  // StreamFactory
);

$serverRequest = $creator->fromGlobals();
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example');
$payload = $extractor->extract($serverRequest);

if(null !== $payload) {
    var_dump($payload);
}

// by default it extract token from `authorization` header with `Bearer ` prefix, you can change it via next args:

$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer.example', 'x-token', 'yourPrefix ');

• Extract origin token in query param:

<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer.example', 'token');
$payload = $extractor->extract($serverRequest);
//......

• Extract base64 payload in header:

<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer.example', 'x-istio-jwt-payload');
$payload = $extractor->extract($serverRequest);
//......

• In case your application have many JWT issuers, or many extraction strategies:

<?php
//......
$extractor = \Istio\JWTPayloadExtractor\ExtractorFactory::fromExtractors(
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromBase64Header('issuer1.example', 'x-istio-jwt-payload'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer1.example', 'token'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenHeader('issuer2.example', 'authorization'),
    \Istio\JWTPayloadExtractor\ExtractorFactory::fromOriginTokenQueryParam('issuer3.example', 'token'),
);
$payload = $extractor->extract($serverRequest);
//......

Testing

This library uses PHPUnit for unit tests:

vendor/bin/phpunit

Credits

• Minh Vuong