
Use bearer middleware to secure HTTP endpoints by verifying bearer tokens

The bearer HTTP middleware verifies a Bearer Token using OpenID Connect on a Web API, without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.

Component format

  1. apiVersion:
  2. kind: Component
  3. metadata:
  4. name: bearer-token
  5. spec:
  6. type: middleware.http.bearer
  7. version: v1
  8. metadata:
  9. - name: audience
  10. value: "<your token audience; e.g. the application's client ID>"
  11. - name: issuer
  12. value: "<your token issuer, e.g. ''>"
  13. # Optional values
  14. - name: jwksURL
  15. value: ""

Spec metadata fields

audienceYThe audience expected in the tokens. Usually, this corresponds to the client ID of your application that is created as part of a credential hosted by a OpenID Connect platform.
issuerYThe issuer authority, which is the value expected in the issuer claim in the tokens.,
jwksURLNAddress of the JWKS (JWK Set containing the public keys for verifying tokens). If empty, will try to fetch the URL set in the OpenID Configuration document <issuer>/.well-known/openid-configuration.

Dapr configuration

To be applied, the middleware must be referenced in configuration. See middleware pipelines.

  1. apiVersion:
  2. kind: Configuration
  3. metadata:
  4. name: appconfig
  5. spec:
  6. httpPipeline:
  7. handlers:
  8. - name: bearer-token
  9. type: middleware.http.bearer

Last modified June 19, 2023: Merge pull request #3565 from dapr/aacrawfi/skip-secrets-close (b1763bf)