From 5b037a72efb5b89429c38baf1fc9c238f275e0c8 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 11:53:09 +0100 Subject: [PATCH 1/6] Update JWT plugin to accept shared secrets Allow HS* shared secrets to be supplied directly via `keys`. --- jwt.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/jwt.go b/jwt.go index 9282f62..2ee6ebd 100644 --- a/jwt.go +++ b/jwt.go @@ -282,7 +282,13 @@ func (jwtPlugin *JwtPlugin) ParseKeys(certificates []string) error { } else if u, err := url.ParseRequestURI(certificate); err == nil { jwtPlugin.jwkEndpoints = append(jwtPlugin.jwkEndpoints, u) } else { - return fmt.Errorf("Invalid configuration, expecting a certificate, public key or JWK URL") + // Allow HS* shared secrets to be supplied directly via `keys`. + // (Also safe with other algs because verify funcs type-check.) + secretBytes, err := certificate + if err != nil { + return err + } + jwtPlugin.keys[strconv.Itoa(len(jwtPlugin.keys))] = secretBytes } } return nil From 663cf70cb137d62dee7c7239512acfd8b260ab55 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:00:51 +0100 Subject: [PATCH 2/6] Update .traefik.yml --- .traefik.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.traefik.yml b/.traefik.yml index cf2ea1d..a7bf942 100644 --- a/.traefik.yml +++ b/.traefik.yml @@ -1,7 +1,7 @@ displayName: JWT And OPA Access Management type: middleware -import: github.com/traefik-plugins/traefik-jwt-plugin +import: github.com/dberardo-com/traefik-jwt-plugin summary: Checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS. From d3816e8477ddab91ea7db522657584a995740db3 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:07:16 +0100 Subject: [PATCH 3/6] Change module path from traefik-plugins to dberardo-com --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 11d65e2..0c0ac2e 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ -module github.com/traefik-plugins/traefik-jwt-plugin +module github.com/dberardo-com/traefik-jwt-plugin go 1.17 From 68bf9e0c6331d38f7a387ef3aee847f73e583ea3 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:43:56 +0100 Subject: [PATCH 4/6] Refactor handling of HS* shared secrets in jwt.go --- jwt.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/jwt.go b/jwt.go index 2ee6ebd..e1250b0 100644 --- a/jwt.go +++ b/jwt.go @@ -282,13 +282,11 @@ func (jwtPlugin *JwtPlugin) ParseKeys(certificates []string) error { } else if u, err := url.ParseRequestURI(certificate); err == nil { jwtPlugin.jwkEndpoints = append(jwtPlugin.jwkEndpoints, u) } else { - // Allow HS* shared secrets to be supplied directly via `keys`. - // (Also safe with other algs because verify funcs type-check.) - secretBytes, err := certificate - if err != nil { - return err - } + // Allow HS* shared secret to be supplied directly via `keys` + // Store raw string bytes as HMAC key + secretBytes := []byte(certificate) jwtPlugin.keys[strconv.Itoa(len(jwtPlugin.keys))] = secretBytes + continue } } return nil From f9dc78731dfb1321b53ad6325db71916f36f40fa Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:44:42 +0100 Subject: [PATCH 5/6] Update JWT plugin import path in .traefik.yml --- .traefik.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.traefik.yml b/.traefik.yml index a7bf942..cf2ea1d 100644 --- a/.traefik.yml +++ b/.traefik.yml @@ -1,7 +1,7 @@ displayName: JWT And OPA Access Management type: middleware -import: github.com/dberardo-com/traefik-jwt-plugin +import: github.com/traefik-plugins/traefik-jwt-plugin summary: Checks JWT tokens for required fields. Supports Open Policy Agent (OPA) and signature validation with JWKS. From a4d8fa9ef70bd618a3d794a1da7306edb4eec629 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:44:48 +0100 Subject: [PATCH 6/6] Rename module to traefik-plugins/traefik-jwt-plugin --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0c0ac2e..11d65e2 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ -module github.com/dberardo-com/traefik-jwt-plugin +module github.com/traefik-plugins/traefik-jwt-plugin go 1.17