Simple HTTP server for verifying JSON web tokens (JWTs) issued by Cloudflare Access. Works well with Nginx's ngx_http_auth_request_module.
When we use Cloudflare Access, no one should be able to access our origin servers directly. To secure origin servers, Cloudflare Access recommends to force all requests to our origin server through Cloudflare's network and validate JWTs. cla-jwt-verifier provides a solution to implement the latter. See How Access works - Cloudflare Access for more details.
- Start cla-jwt-verifier
APP_CERTS_URL=https://<account>.cloudflareaccess.com/cdn-cgi/access/certs \
APP_AUDIENCES=<audience1>,<audience2> \
RUST_LOG=cla_jwt_verifier=info \
cargo run
- Verify a JWT token using cla-jwt-verifier. cla-jwt-verifier always get a token from the HTTP header not HTTP Cookie.
curl -v -H 'Cf-Access-Jwt-Assertion: <token>' localhost:3030/auth
- cla-jwt-verifier returns HTTP 200 only when the given token is verified.
cla-jwt-verifier can be integrated with Nginx easily by using ngx_http_auth_request_module.
Example configuration:
location / {
auth_request /auth;
...
}
location = /auth {
internal;
proxy_pass http://<cla-jwt-verifier>/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
// Optional
proxy_set_header X-Original-URI $request_uri;
}
If you're using NGINX Ingress Controller on Kubernetes, integration will be easier. Run cla-jwt-verifier on Kubernetes and set global-auth-url of ConfigMap or nginx.ingress.kubernetes.io/auth-url annotation depending on where you want to enable authentication (global or ingress).
cla-jwt-verifier reads configurations from environment variables.
APP_CERTS_URL
(required)APP_AUDIENCES
(required)APP_LISTEN
(optional)RUST_LOG
(optional)
- GET
/auth
Cf-Access-Jwt-Assertion
request header: JWT to be verified (required).- Response status code: 200 only when the JWT is verified successfully.
The Docker image is available on Docker Hub and GitHub.