feat: add token prefix setting.

Author: vuongxuongminh

README.md

@@ -61,6 +61,7 @@ security:
             origin_token_headers: [authorization] #Required at least once of `origin_token_headers`, `origin_token_query_params` or `base64_headers`. Use this option when your Istio JWTRule CRD using `forwardOriginalToken`.
             origin_token_query_params: [token] #Use this option when your Istio JWTRule CRD using `forwardOriginalToken` and your JWT token in query param.
             base64_headers: [x-istio-jwt-payload] # Use this option when your Istio JWTRule CRD using `outputPayloadToHeader`.
+            prefix: "Bearer " #Token prefix of origin token passthrough by default blank ("") if not set.
 ```
 
 In case your application have multi issuers:
@@ -73,6 +74,7 @@ In case your application have multi issuers:
         rules:
           - issuer: issuer_1
             origin_token_headers: [authorization]
+            prefix: "Bearer "
           - issuer: issuer_2
             user_identifier_claim: aud
             base64_headers: [x-istio-jwt-payload]
@@ -92,7 +94,7 @@ origin_token=$(echo "header.$base64_payload.signature");
 
 #You can test authenticate origin token with curl:
 
-curl -H "Authorization: $origin_token" http://localhost/
+curl -H "Authorization: Bearer $origin_token" http://localhost/
 
 #Or authenticate base64 payload header:
 

composer.json

@@ -15,7 +15,7 @@
   "minimum-stability": "stable",
   "require": {
     "php": ">=8.0",
-    "php-istio/jwt-payload-extractor": "^1.0",
+    "php-istio/jwt-payload-extractor": "^v1.1.1",
     "symfony/psr7-pack": "^1.0",
     "symfony/security-bundle": "^5.3"
   },

src/DependencyInjection/Security/AuthenticatorFactory.php

@@ -95,6 +95,9 @@ public function addConfiguration(NodeDefinition $builder)
                                     ->cannotBeEmpty()
                                 ->end()
                             ->end()
+                            ->scalarNode('prefix')
+                                ->defaultNull()
+                            ->end()
                         ->end()
                     ->end()
                 ->end()
@@ -119,7 +122,8 @@ private function createUserIdentifierClaimMappings(
                     sprintf('%s.origin_token_headers.%s', $extractorIdPrefix, $key),
                     'istio.jwt_authentication.payload_extractor.origin_token.header',
                     $rule['issuer'],
-                    $rule['origin_token_headers']
+                    $rule['origin_token_headers'],
+                    $rule['prefix']
                 );
             }
 
@@ -129,7 +133,8 @@ private function createUserIdentifierClaimMappings(
                     sprintf('%s.origin_token_query_params.%s', $extractorIdPrefix, $key),
                     'istio.jwt_authentication.payload_extractor.origin_token.query_param',
                     $rule['issuer'],
-                    $rule['origin_token_query_params']
+                    $rule['origin_token_query_params'],
+                    $rule['prefix']
                 );
             }
 
@@ -163,7 +168,8 @@ private function createPayloadExtractor(
         string $id,
         string $fromAbstractId,
         string $issuer,
-        array $items
+        array $items,
+        ?string $prefix = null
     ): Reference {
         $definition = new ChildDefinition('istio.jwt_authentication.payload_extractor.composite');
         $container->setDefinition($id, $definition);
@@ -176,6 +182,11 @@ private function createPayloadExtractor(
             $subDefinition = new ChildDefinition($fromAbstractId);
             $subDefinition->replaceArgument(0, $issuer);
             $subDefinition->replaceArgument(1, $item);
+
+            if (null !== $prefix) {
+                $subDefinition->replaceArgument(2, $prefix);
+            }
+
             $container->setDefinition($subId, $subDefinition);
         }
 

src/Resources/config/payload_extractor.php

@@ -26,12 +26,14 @@
         ->factory([ExtractorFactory::class, 'fromOriginTokenHeader'])
             ->arg(0, abstract_arg('issuer'))
             ->arg(1, abstract_arg('header name'))
+            ->arg(2, '') // token prefix
 
         ->set('istio.jwt_authentication.payload_extractor.origin_token.query_param', OriginTokenExtractor::class)
         ->abstract()
         ->factory([ExtractorFactory::class, 'fromOriginTokenQueryParam'])
             ->arg(0, abstract_arg('issuer'))
             ->arg(1, abstract_arg('param name'))
+            ->arg(2, '') // token prefix
 
         ->set('istio.jwt_authentication.payload_extractor.base64_header', Base64HeaderExtractor::class)
         ->abstract()

tests/Fixtures/TokenTrait.php

@@ -18,7 +18,7 @@ private function getOriginToken(
         mixed $userIdentifier = 'valid'
     ): string {
         return sprintf(
-            'header.%s.signature',
+            'Bearer header.%s.signature',
             $this->getBase64Payload($issuer, $userIdentifierClaim, $userIdentifier)
         );
     }

tests/TestKernel.php

@@ -91,6 +91,7 @@ function (ContainerBuilder $container) {
                                             'issuer' => 'issuer_2',
                                             'user_identifier_claim' => 'id_2',
                                             'origin_token_headers' => ['authorization'],
+                                            'prefix' => 'Bearer ',
                                         ],
                                     ],
                                 ],

tests/Unit/Authenticator/AuthenticatorTest.php

@@ -223,11 +223,11 @@ private function getUserIdentifierClaimMappings(): array
         return [
             new UserIdentifierClaimMapping(
                 'id_1',
-                ExtractorFactory::fromOriginTokenHeader('issuer_1', 'authorization')
+                ExtractorFactory::fromOriginTokenHeader('issuer_1', 'authorization', 'Bearer ')
             ),
             new UserIdentifierClaimMapping(
                 'id_2',
-                ExtractorFactory::fromOriginTokenQueryParam('issuer_2', 'token')
+                ExtractorFactory::fromOriginTokenQueryParam('issuer_2', 'token', '')
             ),
             new UserIdentifierClaimMapping(
                 'id_3',

tests/Unit/DepdendencyInjection/Security/AuthenticatorFactoryTest.php

@@ -68,8 +68,8 @@ public function testCreateAuthenticator()
     {
         $config = [
             'rules' => [
-                ['issuer' => 'test', 'origin_token_headers' => ['authorization'], 'user_identifier_claim' => 'sub'],
-                ['issuer' => 'test2', 'origin_token_query_params' => ['token'], 'user_identifier_claim' => 'sub'],
+                ['issuer' => 'test', 'origin_token_headers' => ['authorization'], 'user_identifier_claim' => 'sub', 'prefix' => 'test'],
+                ['issuer' => 'test2', 'origin_token_query_params' => ['token'], 'user_identifier_claim' => 'sub', 'prefix' => null],
             ],
         ];
 
@@ -86,7 +86,7 @@ public function testCreateAuthenticator()
     public function testThrowExceptionWhenCreateAuthenticatorWithNoneExtractor()
     {
         $this->expectException(InvalidConfigurationException::class);
-        $this->executeCreate(['rules' => ['issuer' => 'test']]);
+        $this->executeCreate(['rules' => ['issuer' => 'test', 'prefix' => null]]);
     }
 
     private function executeCreate(array $config)
@@ -114,6 +114,7 @@ public function validConfigurations(): array
                             'origin_token_headers' => [],
                             'origin_token_query_params' => [],
                             'base64_headers' => [],
+                            'prefix' => null,
                         ],
                     ],
                 ],
@@ -124,6 +125,7 @@ public function validConfigurations(): array
                         [
                             'issuer' => 'example',
                             'user_identifier_claim' => 'id',
+                            'prefix' => 'Bearer ',
                             'origin_token_headers' => ['authorization'],
                             'origin_token_query_params' => ['token'],
                             'base64_headers' => ['x-istio-jwt-payload'],
@@ -135,6 +137,7 @@ public function validConfigurations(): array
                         [
                             'issuer' => 'example',
                             'user_identifier_claim' => 'id',
+                            'prefix' => 'Bearer ',
                             'origin_token_headers' => ['authorization'],
                             'origin_token_query_params' => ['token'],
                             'base64_headers' => ['x-istio-jwt-payload'],
@@ -148,6 +151,7 @@ public function validConfigurations(): array
                         [
                             'issuer' => 'example',
                             'user_identifier_claim' => 'id',
+                            'prefix' => null,
                             'origin_token_header' => ['authorization'],
                             'origin_token_query_param' => ['token'],
                             'base64_header' => ['x-istio-jwt-payload'],
@@ -159,6 +163,7 @@ public function validConfigurations(): array
                         [
                             'issuer' => 'example',
                             'user_identifier_claim' => 'id',
+                            'prefix' => null,
                             'origin_token_headers' => ['authorization'],
                             'origin_token_query_params' => ['token'],
                             'base64_headers' => ['x-istio-jwt-payload'],