Support » Plugin: Simple JWT Login - Login and Register to WordPress using JWT » Make JWT location configurable and certificate by URL

  • Resolved andrewheberle

    (@andrewheberle)


    I wonder if its possible to have the location for the JWT configurable (keeping the existing defaults so not to break existing installs of course), so the JWT can be found by your code from a different cookie name or a different header?

    We are using Cloudflare Access to secure a number of web applications but this service places the JWT in a header called “Cf-Access-Jwt-Assertion” and the cookie “CF_Authorization”

    It would be great to be able to configure Simple JWT Login to look in one of these locations for the JWT.

    Next, is it possible to have the certificate used to validate the JWT come from a URL rather than being hard coded?

    Many providers (Cloudflare included) expose their keys as a JSON web key sets (JWKS) from a URL that can be retrieved and used to verify the JWT. This means that a key rotation by the authentication provider does not affect verification of issued JWT’s.

    It might not be efficient to retrieve the key sets every time so maybe this can be cached for some time?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nicu_m

    (@nicu_m)

    Hello @andrewheberle,

    I have on my todo list the possibility to change the Header/Cookie parameter value and I will come with updates in a couple of days.

    For the part where JWT is retrieved from a URL, this might be a little more complicated. I will need extra information about how the call should be made( I will need to allow users to specify the URL, the method, the headers, the parameters, etc. ). This feature, It may take longer to implement ( a couple of weeks).

    But, long story short, I will come back with updates and keep you posted.

    Best regards,
    Nicu.

    Thread Starter andrewheberle

    (@andrewheberle)

    That’s great news that this is on your roadmap.

    For our purposes the option to configure header/cookie location is all that is needed.

    Thanks again.

    Thread Starter andrewheberle

    (@andrewheberle)

    Just to add some more info for the second part of my request (getting the keys via a URL), this seems to be some sort of standard that various vendors use.

    Some documentation is here:

    https://auth0.com/docs/tokens/json-web-tokens/json-web-key-sets

    An example in PHP is here (although I think you are using a different library for this plugin):

    https://auth0.com/docs/libraries/auth0-php/validating-jwts-with-auth0-php

    Plugin Author nicu_m

    (@nicu_m)

    Hello @andrewheberle,

    I’ve just released the first part of your request, where you can change the keys for the JWT parameter (from Request, session, cookie).

    Just go in the “General” tab from plugin settings, and choose the name that you want for your header.

    Please have a look and let me know if this fits your needs.

    PS: Please don’t forget to rate this plugin and spread the word about it.

    Best regards,
    Nicu.

    • This reply was modified 1 year ago by nicu_m.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Make JWT location configurable and certificate by URL’ is closed to new replies.