Add unencrypted, base64-decoded claims from a JWT payload as request headers to the upstream service.
When enabled, this plugin will add new headers to requests based on the claims
in the JWT provided in the request. The generated headers follow the naming
convention of x-<claim-name>
. For example, if the JWT payload object is
{
"sub" : "1234567890",
"name" : "John Doe",
"admin" : true
}
then the following headers would be added
x-sub : "1234567890"
x-name : "John Doe"
x-admin : true
Similar to the built-in JWT Kong plugin, you can associate the jwt-claims-headers plugin with an api with the following request
curl -X POST http://localhost:8001/apis/29414666-6b91-430a-9ff0-50d691b03a45/plugins \
--data "name=jwt-claims-headers" \
--data "config.uri_param_names=jwt" \
--data "config.claims_to_include=.*" \
--data "config.continue_on_error=true" \
--data "config.verify_exp=true" \
--data "config.jwt_secret=b3JhbmdlMwmdlM29yYW5nZTNvb3JhbcmFuZ2Uz"
form parameter | required | description |
---|---|---|
name |
required | The name of the plugin to use, in this case: jwt-claims-headers |
config.uri_param_names |
optional | A list of querystring parameters that Kong will inspect to retrieve JWTs. Defaults to jwt . |
config.claims_to_include |
required | A list of claims that Kong will expose in request headers. Lua pattern expressions are valid, e.g., kong-.* will include kong-id , kong-email , etc. Defaults to .* (include all claims). |
config.continue_on_error |
required | Whether to send the request to the upstream service if a failure occurs (no JWT token present, error decoding, etc). Defaults to true . |
config.verify_exp |
optional | Expiration Time Claim. Defaults to false . |
config.jwt_secret |
required | JWT Secret string for signature verification. |