Skip to main content

HTTP Headers

Pass JWT Token Claims in HTTP Request Headers​

Auto-Defined Headers​

To pass JWT token claims in auto-generated HTTP headers to downstream plugins, use the following Caddyfile directive:

{
  security {
    authorization policy mypolicy {
      inject headers with claims
    }
  }
}

The downstream plugins would get the following X-Token- headers:

    "X-Token-Subject": "webadmin"
    "X-Token-User-Name": "Web Administrator"
    "X-Token-User-Email": "webadmin@localdomain.local"
    "X-Token-User-Roles": "superadmin guest anonymous"

Custom Headers​

The syntax for adding a custom header follows:

inject header <header_name> from <field_name>

For example, add the injection of X-Picture header with the value from picture field of JWT token:

{
  security {
    authorization policy mypolicy {
      inject headers with claims
      inject header "X-Picture" from picture
    }
  }
}

After the addition, we could see the X-Picture header, as well as the other headers injected by inject headers with claims:

{
  "X-Picture": "https://avatars.githubusercontent.com/u/3826416?v=4",
  "X-Token-Subject": "github.com/greenpau",
  "X-Token-User-Name": "Paul Greenberg",
  "X-Token-User-Roles": "authp/guest"
}

Nested Data Source​

Additionally, one could inject data from a nested data structure.

The partical list of token claims follows:

{
  "userinfo": {
    "custom_groups": [
      "authp/admin",
      "authp/user"
    ],
    "name": "Paul Greenberg",
    "zoneinfo": "America/Los_Angeles"
  }
}

Apply the following configuration snippet:

{
  security {
    authorization policy mypolicy {
      inject header "X-User-Custom-Groups" from "userinfo|custom_groups"
      inject header "X-User-Timezone" from "userinfo|zoneinfo"
      inject header "X-User-Name" from "userinfo|name"
    }
  }
}

Based on the above configuration, the plugin sends the following headers:

    "X-User-Custom-Groups": "authp/admin, authp/user",
    "X-User-Name": "Paul Greenberg",
    "X-User-Timezone": "America/Los_Angeles"

Strip JWT Token from HTTP Request​

The following directive instructs the plugin to remove the found token from a request.

{
  security {
    authorization policy mypolicy {
      enable strip token
    }
  }
}

Note: Currently, this feature works with cookies only. It will not strip a token from an authorization header.