JWT Auth

This module provides an example of JWT Auth.

class callouts.python.extproc.example.jwt_auth.service_callout_example.CalloutServerExample(*args: Any, **kwargs: Any)[source]

Bases: CalloutServer

Example callout server.

For request header callouts we provide a mutation to add multiple headers based on the decoded fields for example ‘{decoded-name: John Doe}’, and to clear the route cache if the JWT Authorization is valid. A valid token example value can be found below.

Valid Token for RS256: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTcxMjE3MzQ2MSwiZXhwIjoyMDc1NjU4MjYxfQ.Vv-Lwn1z8BbVBGm-T1EKxv6T3XKCeRlvRrRmdu8USFdZUoSBK_aThzwzM2T8hlpReYsX9YFdJ3hMfq6OZTfHvfPLXvAt7iSKa03ZoPQzU8bRGzYy8xrb0ZQfrejGfHS5iHukzA8vtI2UAJ_9wFQiY5_VGHOBv9116efslbg-_gItJ2avJb0A0yr5uUwmE336rYEwgm4DzzfnTqPt8kcJwkONUsjEH__mePrva1qDT4qtfTPQpGa35TW8n9yZqse3h1w3xyxUfJd3BlDmoz6pQp2CvZkhdQpkWA1bnwpdqSDC7bHk4tYX6K5Q19na-2ff7gkmHZHJr0G9e_vAhQiE5w

on_request_headers(headers: envoy.service.ext_proc.v3.external_processor_pb2.HttpHeaders, context: ServicerContext) → envoy.service.ext_proc.v3.external_processor_pb2.HeadersResponse | None[source]

Deny token if validation fails and return an error message. See callouts.python.extproc.service.callout_tools.deny_request() for more information.

If the token is valid, apply a header mutation. See callouts.python.extproc.service.callout_tools.add_header_mutation() for more information.

See base method: callouts.python.extproc.service.callout_server.CalloutServer.on_request_headers().

callouts.python.extproc.example.jwt_auth.service_callout_example.extract_jwt_token(request_headers: envoy.service.ext_proc.v3.external_processor_pb2.HttpHeaders) → str | None[source]

Extracts the JWT token from the request headers, specifically looking for the ‘Authorization’ header and parsing out the token part.

Parameters:: request_headers (service_pb2.HttpHeaders) – The HTTP headers received in the request.
Returns:: The extracted JWT token if found, otherwise None.
Return type:: str

Example

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6… -> Returns: eyJhbGciOiJIUzI1NiIsInR5cCI6…

callouts.python.extproc.example.jwt_auth.service_callout_example.validate_jwt_token(key: bytes, request_headers: envoy.service.ext_proc.v3.external_processor_pb2.HttpHeaders, algorithm: str) → Any | None[source]

Validates the JWT token extracted from the request headers using a specified public key and algorithm. If valid, returns the decoded JWT payload; otherwise, logs an error and returns None.

Parameters:

key (bytes) – The public key used for token validation.
request_headers (service_pb2.HttpHeaders) – The HTTP headers received in the request, used to extract the JWT token.
algorithm (str) – The algorithm with which the JWT was signed (e.g., ‘RS256’).

Returns:

The decoded JWT if validation is successful, None if the token is: invalid or an error occurs.

Return type:

dict | None

Raises:

InvalidTokenError – If the token is invalid or decoding fails.

Example

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6… -> Returns: {‘sub’: ‘1234567890’, ‘name’: ‘John Doe’, ‘iat’: 1712173461, ‘exp’: 2075658261}