Skip to main content

Plugin - Token reminting

This plugin allows to remint a token in an arbitrary format into another token in an arbitrary format.

UserYour systemLoad balancerToken reminting endpointDestination endpointGateOriginal tokenHTTP request headers/cookiesto overrideHTTP requestHTTP requestHTTP request withoverridden headers/cookies

Configuring Gate

GATE_PLUGINS_<PLUGIN NUMBER>_TYPE=token-reminting
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_HEADER_WITH_TOKEN=<Header with token>
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_COOKIE_WITH_TOKEN=<Cookie with token>
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_REMINT_TOKEN_ENDPOINT=<Token reminting endpoint>
GATE_PLUGINS_<PLUGIN NUMBER>_PARAMETERS_REMINT_KEEP_OLD_TOKEN=<Keep original token?>

In Environment variables configuration, <PLUGIN NUMBER> defined plugin execution order.

where:

  • <Header with token> is the header sent to the token reminting endpoint. This option and cookie_with_token are mutually exclusive.
  • <Cookie with token> is the cookie sent to the token reminting endpoint. This option and header_with_token are mutually exclusive.
  • <Token reminting endpoint> URL of the endpoint given a token returns the reminted token.
  • <Keep original token?> If true, keep the original token in the request, otherwise remove it before forwarding it. False by default.

If neither <Header with token> nor <Cookie with token> are set, the plugin attempts to get a bearer token from the Authorization header, and strips the Bearer prefix from it.

To learn more about configuring Gate, please visit configuration page and plugins section.

info

Order of plugins in configuration determines their execution order.

Disabling plugin for specific URLs

You can enable or disable this plugin for specific URLs by using the enabled option in the URLs configuration.

GATE_URLS_0_PATTERN=svc-example.com/*
GATE_URLS_0_TARGET=http://example:8080

GATE_URLS_1_PATTERN=svc-another-example.com/
GATE_URLS_1_TARGET=https://another-example:8080

Token reminting endpoint

Gate needs to know how to map the token received to a different token of arbitrary format. To do that, you need to implement a token reminting endpoint. Gate sends a POST request to the endpoint with the following format:

{
  "token": "Token from the original request"
}

Your token reminting endpoint should return the headers and/or cookies containing the reminted token.

The following example is a valid response sent from a token reminting endpoint:

{
  "headers_to_set": {
    "Authorization": "Basic YWxhZGRpbjpvcGVuc2VzYW1l",
    "IsTranslated": "true"
  },
  "cookies_to_add": {
    "X-Internal-Auth": "9xUromfTraIwHpmC6R9NDwJwItE"
  }
}

Gate will override the original request headers with the headers returned from headers_to_set, and will add all cookies from cookies_to_add to the ones already present in the request.

note

By default Gate will strip the original token from the request before forwarding. You can instruct Gate to keep the original token by setting the keep_old_token option to true.

note

The plugin lets the incoming request through unmodified if it contains no token.