You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/10/19 07:48:19 UTC

[GitHub] [apisix] starsz opened a new issue, #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

starsz opened a new issue, #8122:
URL: https://github.com/apache/apisix/issues/8122

   ### Description
   
   Hello, I found that now those auth plugins had support "hide_credentials" 
   
   |  plugin   | field   | url |
   |  ----  | ----  | ---- | 
   | key-auth  | hide_credentials |  https://apisix.apache.org/docs/apisix/next/plugins/key-auth/ |
   | basic-auth  | hide-credentials | https://apisix.apache.org/docs/apisix/next/plugins/basic-auth/ |
   | hmac-auth | keep_headers | https://apisix.apache.org/docs/apisix/next/plugins/hmac-auth/ |
   
   But `jwt-auth` plugin doesn't support hiding credentials so we will get the credentials at upstream. It may cause some security problems. I think we should support it.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] pixeldin commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

pixeldin commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1285042054

   > 
   
   Ok, I am trying to cover it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

starsz commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1283577415

   @pixeldin Do you want to try this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] opencmit1 commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

opencmit1 commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1294364212

   Relevant content can be viewed
   https://segmentfault.com/a/1190000041741551


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

starsz commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1289880472

   > APISIX 2.13.0 and all previous versions
   
   Hi, @opencmit1.What I mean is that Apache APISIX will take the credentials to upstream.
   Do you mean that APISIX will return the sensitive information to the client?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] opencmit1 commented on issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

opencmit1 commented on issue #8122:
URL: https://github.com/apache/apisix/issues/8122#issuecomment-1284815384

   What is the current version
   APISIX 2.13.0 and all previous versions，The jwt auth plug-in has the security problem of disclosing the user's secret key, because the error information returned from the dependency library lua rest jwt contains sensitive information


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get jwt token at upstream

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #8122: feat: As a user, I want to hide credentials for jwt-auth plugin, so that we wouldn't get  jwt token at upstream
URL: https://github.com/apache/apisix/issues/8122


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org