help request: proxy-rewrite fails to set headers from jwt-auth context variables despite correct configuration

[Slade66]

Description

Consumer Configuration:

curl -X PUT "http://10.30.60.116:9180/apisix/admin/consumers" \
  -H "X-API-KEY: your_admin_key" \
  -d '{
    "username": "shared-app",
    "plugins": {
      "jwt-auth": {
        "key": "shared-app-key",
        "secret": "a-string-secret-at-least-256-bit"
      }
    }
  }'

Route Configuration:

curl -X PUT "http://10.30.60.116:9180/apisix/admin/routes/user-service-route" \
  -H "X-API-KEY: your_admin_key" \
  -d '{
    "uri": "/user/*",
    "plugins": {
      "jwt-auth": {
        "store_in_ctx": true
      },
      "proxy-rewrite": {
        "uri": "/headers",
        "headers": {
          "set": {
            "X-User-ID": "$ctx_jwt_auth_payload_sub",
            "X-Username": "$ctx_jwt_auth_payload_username"
          },
          "remove": [
            "Authorization"
          ]
        }
      }
    },
    "upstream": {
      "type": "roundrobin",
      "nodes": {
        "httpbin.org:443": 1
      },
      "scheme": "https"
    }
  }'

JWT Payload:

{
  "key": "shared-app-key",
  "username": "lyz",
  "iss": "user-service",
  "sub": "41062bf0-ba38-4993-aa11-edb7cee1ac5c",
  "aud": [ "api-gateway" ],
  "exp": 1760082649,
  "iat": 1759996249,
  "jti": "1e010168-2d9b-44be-b9c5-52934e778383"
}

Request Command:

curl "http://10.30.60.116:9080/user/profile" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJzaGFyZWQtYXBwLWtleSIsInVzZXJuYW1lIjoibHl6IiwiaXNzIjoidXNlci1zZXJ2aWNlIiwic3ViIjoiNDEwNjJiZjAtYmEzOC00OTkzLWFhMTEtZWRiN2NlZTFhYzVjIiwiYXVkIjpbImFwaS1nYXRld2F5Il0sImV4cCI6MTc2MDA4MjY0OSwiaWF0IjoxNzU5OTk2MjQ5LCJqdGkiOiIxZTAxMDE2OC0yZDliLTQ0YmUtYjljNS01MjkzNGU3NzgzODMifQ.rO9XoxbenNHjv23i2T6UvSvTMy9OUtuQvxWw40Vcias"

My Expectation:
After processing the request, APISIX should forward a modified request to the upstream. The response from httpbin.org should show that:

1. The X-User-ID header is present with the value of the sub claim.
2. The X-Username header is present with the value of the username claim.
3. The original Authorization header has been removed.

{
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/8.5.0",
    "X-Amzn-Trace-Id": "...",
    "X-Consumer-Username": "shared-app",
    "X-Forwarded-Host": "10.30.60.116",
    "X-User-ID": "41062bf0-ba38-4993-aa11-edb7cee1ac5c",
    "X-Username": "lyz"
  }
}

Actual Result:
no expect header.

{
  "headers": {
    "Accept": "*/*",
    "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "Host": "10.30.60.116",
    "User-Agent": "curl/8.5.0",
    "X-Amzn-Trace-Id": "Root=1-68e77893-36d0062d14cbafee30970631",
    "X-Consumer-Username": "shared-app-key",
    "X-Forwarded-Host": "10.30.60.116"
  }
}

Environment

• APISIX version (run apisix version): 3.13.0
• Operating system (run uname -a): Linux fdb825996d73 4.19.90-52.22.v2207.ky10.x86_64 change: added doc of how to load plugin. #1 SMP Tue Mar 14 12:19:10 CST 2023 x86_64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.27.1.2

[hanqingwu]

Can you provide some about apisix log ?

[Baoyuantop]

Hi @Slade66, the store_in_ctx configuration merely stores JWT-related information in the context, it does not register them as variables. Therefore, they cannot be used directly in this manner. You can use custom code to read these variables from the context and set them in the request headers.

[Slade66]

Hello @Baoyuantop @hanqingwu, thank you for your responses.

I’ve resolved the issue. The store_in_ctx configuration of jwt-auth stores the JWT payload in memory. I then used the following configuration:

"plugins": {
  "jwt-auth": {
    "store_in_ctx": true
  },
  "serverless-post-function": {
    "phase": "rewrite",
    "functions": [
      "return function(conf, ctx) local p = ctx.jwt_auth_payload; if not p then return end; if p.username then ngx.req.set_header('X-User-Name', tostring(p.username)) end; if p.sub then ngx.req.set_header('X-User-Sub', tostring(p.sub)) end; end"
    ]
  }
}

This solved the problem. By using the serverless plugin with a Lua script, I can extract claims from the JWT instead of using the proxy-rewrite plugin.

If you want to extract JWT claims and pass them to your backend service, you can use jwt-auth together with the serverless plugin.