Bearer

Use bearer middleware to secure HTTP endpoints by verifying bearer tokens

The bearer HTTP middleware verifies a Bearer Token using OpenID Connect on a Web API, without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.

Component format

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: bearer-token
  5. spec:
  6.   type: middleware.http.bearer
  7.   version: v1
  8.   metadata:
  9.     - name: audience
  10.       value: "<your token audience; e.g. the application's client ID>"
  11.     - name: issuer
  12.       value: "<your token issuer, e.g. 'https://accounts.google.com'>"
  14.     # Optional values
  15.     - name: jwksURL
  16.       value: "https://accounts.google.com/.well-known/openid-configuration"

Spec metadata fields

FieldRequiredDetailsExample
audienceYThe audience expected in the tokens. Usually, this corresponds to the client ID of your application that is created as part of a credential hosted by a OpenID Connect platform.
issuerYThe issuer authority, which is the value expected in the issuer claim in the tokens.https://accounts.google.com, https://login.salesforce.com
jwksURLNAddress of the JWKS (JWK Set containing the public keys for verifying tokens). If empty, will try to fetch the URL set in the OpenID Configuration document <issuer>/.well-known/openid-configuration.https://accounts.google.com/.well-known/openid-configuration

Dapr configuration

To be applied, the middleware must be referenced in configuration. See middleware pipelines.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4.   name: appconfig
  5. spec:
  6.   httpPipeline:
  7.     handlers:
  8.     - name: bearer-token
  9.       type: middleware.http.bearer

Last modified June 19, 2023: Merge pull request #3565 from dapr/aacrawfi/skip-secrets-close (b1763bf)