JWTRule
JWTRule
JSON Web Token (JWT) token format for authentication as defined by RFC 7519. See OAuth 2.0 and OIDC 1.0 for how this is used in the whole authentication flow.
Examples:
Spec for a JWT that is issued by https://example.com
, with the audience claims must be either bookstore_android.apps.example.com
or bookstore_web.apps.example.com
. The token should be presented at the Authorization
header (default). The Json web key set (JWKS) will be discovered followwing OpenID Connect protocol.
issuer: https://example.com
audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
This example specifies token in non-default location (x-goog-iap-jwt-assertion
header). It also defines the URI to fetch JWKS explicitly.
issuer: https://example.com
jwksUri: https://example.com/.secret/jwks.json
jwtHeaders:
- "x-goog-iap-jwt-assertion"
Field | Type | Description | Required |
---|---|---|---|
issuer | string | Identifies the issuer that issued the JWT. See issuer A JWT with different Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com | Yes |
audiences | string[] | The list of JWT audiences. that are allowed to access. A JWT containing any of these audiences will be accepted. The service name will be accepted if audiences is empty. Example:
| No |
jwksUri | string | URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery. Optional if the key set document can either (a) be retrieved from OpenID Discovery of the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account). Example: Note: Only one of | No |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks. Note: Only one of | No |
fromHeaders | JWTHeader[] | List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in
| No |
fromParams | string[] | List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter
| No |
outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is | No |
forwardOriginalToken | bool | If set to true, the orginal token will be kept for the ustream request. Default is false. | No |
JWTHeader
This message specifies a header location to extract JWT token.
Field | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | Yes |
prefix | string | The prefix that should be stripped before decoding the token. For example, for “Authorization: Bearer | No |