You can't expect request-transformer plugin to magically✨ retrieve the JWT claims and store them in a header, that's just not what it does :)
Facts
According to the documentation page, you can use templates but:
- the syntax is
$(), not{{}}; - there's nothing documented that handles JWTs.
Possible Solutions
- custom plugins
- maybe using request-transformer advanced templates and functions
Solution: custom plugins
Disclaimer: I have not tested this code, since I'm not home right now :) I'm going to do so as soon as possible.
Create a custom plugin that retrieve the JWT (e.g. from the request context) and stores the claim as a header:
File handler.lua:
local jwt_decoder = require("kong.plugins.jwt.jwt_parser")local set_header = kong.service.request.set_headerlocal CustomHandler = { VERSION = "1.0.0", PRIORITY = 10,}-- Other stufffunction CustomHandler:access(conf) -- Retrieve the token from the context local token = kong.ctx.shared.authenticated_jwt_token if not token then kong.log.warn("Token not found in context") return kong.response.exit(500, "TEST: Token not found in context") end local jwt = jwt_decoder:new(token) local user_id = jwt.claims.sub if not user_id then kong.log.warn("'sub' claim not found in JWT") return kong.response.exit(500, "TEST: 'sub' claim not found in JWT") end -- set the header set_header("X-User-Id", user_id)endreturn CustomHandlerFile schema.lua:
local typedefs = require "kong.db.schema.typedefs"return { name = "jwt-sub-to-header", fields = { { config = { type = "record", fields = { }, }, }, },}Then follow the custom plugin guide to install and use it.
Test: request-transformer functions
Example:
curl -X POST http://localhost:8001/services/{serviceName|Id}/plugins \ --header "accept: application/json" \ --header "Content-Type: application/json" \ --data '{"name": "request-transformer","config": {"add": {"headers": ["X-User-Id:$((function() -- Load JWT decoder from jwt plugin local jwt_decoder = require(\"kong.plugins.jwt.jwt_parser\") -- Retrieve the token from the context local token = kong.ctx.shared.authenticated_jwt_token if not token then -- Handle missing token in context return end local jwt = jwt_decoder:new(token) local user_id = jwt.claims.sub if not user_id then -- Handle missing sub claim in token return end return user_id end)() )" ] } }}'This code should retrieve the token from the request context, parse it, and addthe header X-User-Id:<sub> with <sub> being the claim value.
However, I tested this and it doesn't work due to the request transformer using a sandboxed environment to run the Lua code. Here's the error:
error:/usr/local/share/lua/5.1/kong/tools/sandbox.lua:88: require 'kong.plugins.jwt.jwt_parser' not allowed within sandboxI didn't investigate further since the first solution should work just fine.