Skip to content

change(jwt-auth): when algorithm is not RS256 or ES256, require the user to fill in secret #12611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 12, 2025
Merged

change(jwt-auth): when algorithm is not RS256 or ES256, require the user to fill in secret #12611

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6686762
feat(jwt-auth): when algorithm is not `RS256` or `ES256`, require the…
SkyeYoung Sep 12, 2025
4f68110
fix
SkyeYoung Sep 12, 2025
d7de50d
chore: correction
SkyeYoung Sep 12, 2025
88f22e9
chore: solve comments by @bzp2010
SkyeYoung Sep 12, 2025
5425a9c
chore
SkyeYoung Sep 12, 2025
a00b5a6
chore
SkyeYoung Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions apisix/plugins/jwt-auth.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,9 @@
local core = require("apisix.core")
local jwt = require("resty.jwt")
local consumer_mod = require("apisix.consumer")
local resty_random = require("resty.random")
local new_tab = require ("table.new")
local auth_utils = require("apisix.utils.auth")

local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
local ngx = ngx
local sub_str = string.sub
Expand Down Expand Up @@ -144,8 +142,9 @@ function _M.check_schema(conf, schema_type)
return false, err
end

if conf.algorithm ~= "RS256" and conf.algorithm ~= "ES256" and not conf.secret then
conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
if (conf.algorithm == "HS256" or conf.algorithm == "HS512") and not conf.secret then
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adjust to be consistent with the document

https://github.com/apache/apisix/pull/12611/files#diff-3cd5fc846614f1e59961d065c6f32dca0b2d6cc3ef549e7a961dd4b3694a74bc

Image

err = "property \"secret\" is required when \"algorithm\" is \"HS256\" or \"HS512\""
return false, err
elseif conf.base64_secret then
if ngx_decode_base64(conf.secret) == nil then
return false, "base64_secret required but the secret is not in base64 format"
Expand Down
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/jwt-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ For Consumer/Credential:
| Name | Type | Required | Default | Valid values | Description |
|---------------|---------|-------------------------------------------------------|---------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| key | string | True | | non-empty | Unique key for a Consumer. |
| secret | string | False | | non-empty | Shared key used to sign and verify the JWT when the algorithm is symmetric. Required when using `HS256` or `HS512` as the algorithm. If unspecified, the secret will be auto-generated. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
| secret | string | False | | non-empty | Shared key used to sign and verify the JWT when the algorithm is symmetric. Required when using `HS256` or `HS512` as the algorithm. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
| public_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA public key. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
| algorithm | string | False | HS256 | ["HS256","HS512","RS256","ES256"] | Encryption algorithm. |
| exp | integer | False | 86400 | [1,...] | Expiry time of the token in seconds. |
Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/jwt-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ Consumer/Credential 端:
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| ------------- | ------- | ----- | ------- | --------------------------- | ------------------------------------------------------------------------------------------------------------ |
| key | string | 是 | | | 消费者的唯一密钥。 |
| secret | string | 否 | | | 当使用对称算法时,用于对 JWT 进行签名和验证的共享密钥。使用 `HS256` 或 `HS512` 作为算法时必填。如果未指定,后台将会自动生成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
| secret | string | 否 | | | 当使用对称算法时,用于对 JWT 进行签名和验证的共享密钥。使用 `HS256` 或 `HS512` 作为算法时必填。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
| public_key | string | 否 | | | RSA 或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
| algorithm | string | 否 | "HS256" | ["HS256","HS512","RS256","ES256"] | 加密算法。 |
| exp | integer | 否 | 86400 | [1,...] | token 的超时时间。 |
Expand Down
76 changes: 72 additions & 4 deletions t/plugin/jwt-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ __DATA__
content_by_lua_block {
local plugin = require("apisix.plugins.jwt-auth")
local core = require("apisix.core")
local conf = {key = "123"}
local conf = {key = "123", secret = "my-secret-key"}

local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER)
if not ok then
Expand All @@ -50,7 +50,7 @@ __DATA__
}
}
--- response_body_like eval
qr/{"algorithm":"HS256","base64_secret":false,"exp":86400,"key":"123","lifetime_grace_period":0,"secret":"[a-zA-Z0-9+\\\/]+={0,2}"}/
qr/{"algorithm":"HS256","base64_secret":false,"exp":86400,"key":"123","lifetime_grace_period":0,"secret":"my-secret-key"}/



Expand Down Expand Up @@ -835,7 +835,7 @@ passed
content_by_lua_block {
local plugin = require("apisix.plugins.jwt-auth")
local core = require("apisix.core")
local conf = {key = "123", algorithm = "HS512"}
local conf = {key = "123", algorithm = "HS512", secret = "my-secret-key"}

local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER)
if not ok then
Expand All @@ -846,7 +846,7 @@ passed
}
}
--- response_body_like eval
qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_grace_period":0,"secret":"[a-zA-Z0-9+\\\/]+={0,2}"}/
qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_grace_period":0,"secret":"my-secret-key"}/



Expand Down Expand Up @@ -1222,3 +1222,71 @@ hello world
--- error_code: 400
--- response_body
{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin jwt-auth err: failed to validate dependent schema for \"algorithm\": value should match only one schema, but matches none"}



=== TEST 52: secret is required when algorithm is not RS256 or ES256
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local plugin = require("apisix.plugins.jwt-auth")
-- default algorithm is HS256
local ok, err = plugin.check_schema({
key = "123",
}, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
else
ngx.say("done")
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a suggestion: using assert is enough.

assert(ok, "HS256 but secret is not required")

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done


ok, err = plugin.check_schema({
key = "123",
algorithm = "HS256",
}, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
else
ngx.say("done")
end

ok, err = plugin.check_schema({
key = "123",
algorithm = "HS512",
}, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
else
ngx.say("done")
end

ok, err = plugin.check_schema({
key = "123",
algorithm = "RS256",
public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----"
}, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
else
ngx.say("done")
end

ok, err = plugin.check_schema({
key = "123",
algorithm = "ES256",
public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----"
}, core.schema.TYPE_CONSUMER)
if not ok then
ngx.say(err)
else
ngx.say("done")
end
}
}
--- response_body
property "secret" is required when "algorithm" is "HS256" or "HS512"
property "secret" is required when "algorithm" is "HS256" or "HS512"
property "secret" is required when "algorithm" is "HS256" or "HS512"
done
done
3 changes: 2 additions & 1 deletion t/plugin/public-api.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ property "uri" validation failed: wrong type: expected string, got number
"plugins": {
"jwt-auth": {
"key": "user-key",
"algorithm": "HS256"
"algorithm": "HS256",
"secret": "my-secret-key"
}
}
}]]
Expand Down
Loading