mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2026-05-17 08:36:55 +03:00
5267f35104
### Describe Your Changes Adds JWT authentication support to vmauth with signature verification and tenant-based access control. For now, public_keys have to set explisitly in the config, OIDC discovery will be added in upcoming PRs. Related to https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10445 Key Features - JWT Configuration: Added `jwt_token` field to user config supporting RSA/ECDSA public keys or skip_verify mode (for testing purposes). - Token Validation: Verifies JWT signatures, checks expiration, and extracts vm_access claims - Compatible with vmgateway: jwt tokens issued for vmgateway should work with vmauth too. Examples ```yaml users: - jwt_token: public_keys: - | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA... -----END PUBLIC KEY----- url_prefix: "http://victoria-metrics:8428/" ``` ```yaml users: - jwt_token: skip_verify: true url_prefix: "http://victoria-metrics:8428/" ``` Constraints - JWT tokens cannot be mixed with other auth methods (bearer_token, username, password) - Requires at least one public key OR skip_verify=true - Limited to single JWT user (multiple JWT users will be supported in the future) Next steps - Multiple `jwt_token` support. - Claim matching - Claim based routing - OIDC\JWKS support ### Checklist The following checks are **mandatory**: - [ ] My change adheres to [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist). - [ ] My change adheres to [VictoriaMetrics development goals](https://docs.victoriametrics.com/victoriametrics/goals/). --------- Co-authored-by: Pablo (Tomas) Fernandez <46322567+TomFern@users.noreply.github.com>