With improvements for the JWT middleware, native support for canary deployments in Consul and Nomad, and more!
As we are getting ready to wrap up the year, we have one more Traefik Enterprise announcement to make, so please welcome Traefik Enterprise 2.9!
This release is focused primarily on improving the JWT middleware and integrating the recent improvements and new features introduced earlier in Traefik Proxy 2.9.
Let’s jump in.
Improving the JWT middleware
JSON Web Token (JWT) is a well-known solution to secure your infrastructure access at a glance. Many companies use JWT to secure API exposure. Behind the scenes, JWTs consist of three elements:
- Header: Consists of the type of token (JTW) and the signing algorithm.
- Payload: Contains statements (claims) about the user, as well as additional data. Claims can be registered, public, or private.
- Signature: The signature is used to verify that the contents of the message have not been altered along the way and it is created by signing the encoded header, the encoded payload, a secret, and the algorithm specified in the header. In case a private key has been used, the signature can also verify that the sender of the JSON Web Token is who they say they are.
When an HTTP request reaches a server that requires a JWT authentication, the server already knows the secret key — as it is part of the server configuration — and uses it to re-generate the Signature based on the JWT Header and its Payload. If the signature generated by the server is the same as the JWT signature, the token is valid.
JWT and Traefik Enterprise
authSources: jwtSource: jwt: signingSecret: super-secret
Once your Authentication Source is added to Traefik Enterprise, all you need to do is create your middleware — you can secure your routes by referring to this middleware.
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: test-jwtAuth spec: plugin: jwtAuth: source: jwtSource forwardHeaders: # Allow you to forward claims information as headers Group: grp Expires-At: exp
But many of them are also using the claims set into the token to add an authorization layer. Indeed, the Traefik Enterprise JWT middleware offers the ability to evaluate your claims content before reaching your application. You can check, for instance, if the token owner has a username, and if they belong to an authorized group:
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: test-jwtAuth spec: plugin: jwtAuth: source: jwtSource claims: !Equals(`username`, ``) && OneOf(`group`, `admin`, `developer`) # Block JWT tokens with empty username or unauthorized groups
Adding support for JWTs as form data
Applications commonly expect the JSON Web Token to be provided through the authorization header, but in some cases, it is provided using a query parameter or via the form data. Previous versions of Traefik Enterprise supported providing JWTs via headers and query parameters. With Traefik Enterprise v2.9, you can now provide your JWT using form data as well.
Consider the following scenario: a user needs to download a secured file from their browser. To do that, you can trigger a simple form submit, but you still need to authenticate the requests. However, using the form submit, you would not be able to include the JWT token as a header in the request.
To mitigate that, with Traefik Enterprise 2.9, we are deprecating
tokenQueryKey and adding
tokenKey that will allow you to include the JWT as a form parameter.
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: test-jwtAuth spec: plugin: jwtAuth: source: jwtSource tokenKey: jwtkey # If the Authorization header is missing, Traefik Enterprise looks for the key jwtkey and checks its content
Adding support for PS256, PS384, and PS512 signature algorithms
There is a great number of algorithms available to encrypt a JWT key. With Traefik Enterprise 2.9, we are adding support for the
PS512 signing algorithms.
Adding native support for canary deployments in Consul and Nomad
If you need to distinguish between a canary instance of a service or a production one, with Traefik Enterprise 2.9, it is now possible to tag a service as canary. Using the `canary_tags` field in the Nomad service stanza, Traefik Enterprise identifies that the associated instance is a canary one and a separate service is created internally, so they aren’t mixed in the same load balancer.
Introducing a new observability metric for the request size
Whether you’re a system admin monitoring production environments, or a SaaS platform admin working with APIs, being able to measure the amount of data passing through a proxy instance is often a must-have feature.
In Traefik Enterprise 2.9, we introduce an easy way to track usage with a new metric that contains the total request size — in bytes handled by requests and responses — and is available in the entrypoint, as well as in the router and service levels.
For more information on this feature, check out the official documentation.
… And more!
This release also brings a long list of minor improvements and additions originally introduced in Traefik Proxy 2.9. If you want to learn more, check out the release notes.
If you haven’t yet seen Traefik Enterprise in action, feel free to book a demo and discover everything Traefik Enterprise has to offer for your production environments.