A LUA plugin for verifying sender constrained tokens in the reverse proxy.
Sender-constrained tokens are tokens that are bound to a certain client. These tokens cannot - in contrary to ordinary Bearer tokens - be used by a malicious client to access protected resources.
In financial-grade systems, APIs are secured by Mutual TLS, and Certificate Bound Access Tokens are used.
The client certificate used in API requests must then match that used at the time of authentication.
Demonstrating Proof-of-Possession (DPoP) or OAuth 2.0 Token Binding are other mechanism for sender constraining tokens though not supported by this plugin.
This plugin makes the above token binding checks in an NGINX based reverse proxy.
See the following article for further details on how this plugin is used:
type
: Specify which type of constraint the token has. Currently, the only supported value is certificate-bound
.
The following configuration at the reverse proxy will load and execute the plugin:
local tokenConfig = {
type = 'certificate-bound'
}
local senderConstrainedTokenPlugin = require 'sender-constrained-token-plugin'
senderConstrainedTokenPlugin.execute(tokenConfig)
Please visit curity.io for more information about the Curity Identity Server.