You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/10/19 07:48:19 UTC
[GitHub] [apisix] starsz opened a new issue, #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
starsz opened a new issue, #8122:
URL: https://github.com/apache/apisix/issues/8122
### Description
Hello, I found that now those auth plugins had support "hide_credentials"
| plugin | field | url |
| ---- | ---- | ---- |
| key-auth | hide_credentials | https://apisix.apache.org/docs/apisix/next/plugins/key-auth/ |
| basic-auth | hide-credentials | https://apisix.apache.org/docs/apisix/next/plugins/basic-auth/ |
| hmac-auth | keep_headers | https://apisix.apache.org/docs/apisix/next/plugins/hmac-auth/ |
But `jwt-auth` plugin doesn't support hiding credentials so we will get the credentials at upstream. It may cause some security problems. I think we should support it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] pixeldin commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
pixeldin commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1285042054
>
Ok, I am trying to cover it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1283577415
@pixeldin Do you want to try this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] opencmit1 commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
opencmit1 commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1294364212
Relevant content can be viewed
https://segmentfault.com/a/1190000041741551
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1289880472
> APISIX 2.13.0 and all previous versions
Hi, @opencmit1.What I mean is that Apache APISIX will take the credentials to upstream.
Do you mean that APISIX will return the sensitive information to the client?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] opencmit1 commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
opencmit1 commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1284815384
What is the current version
APISIX 2.13.0 and all previous versions,The jwt auth plug-in has the security problem of disclosing the user's secret key, because the error information returned from the dependency library lua rest jwt contains sensitive information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream
URL: https://github.com/apache/apisix/issues/8122
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org