JWTRule

JWTHeader

This message specifies a header location to extract JWT token.

FieldTypeDescriptionRequired
namestring
The HTTP header name.
Yes
prefixstring
The prefix that should be stripped before decoding the token.For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.If the header doesn’t have this exact prefix, it is considerred invalid.
No

JWTRule

JSON Web Token (JWT) token format for authentication as defined byRFC 7519. See OAuth 2.0 andOIDC 1.0 for how this is used in the wholeauthentication flow.

Examples:

Spec for a JWT that is issued by https://example.com, with the audience claims must be eitherbookstore_android.apps.example.com or bookstore_web.apps.example.com.The token should be presented at the Authorization header (default). The Json web key set (JWKS)will be discovered followwing OpenID Connect protocol.

  1. issuer: https://example.com
  2. audiences:
  3. - bookstore_android.apps.example.com
  4.   bookstore_web.apps.example.com

This example specifies token in non-default location (x-goog-iap-jwt-assertion header). It alsodefines the URI to fetch JWKS explicitly.

  1. issuer: https://example.com
  2. jwksUri: https://example.com/.secret/jwks.json
  3. jwtHeaders:
  4. - "x-goog-iap-jwt-assertion"
FieldTypeDescriptionRequired
issuerstring
Identifies the issuer that issued the JWT. SeeissuerA JWT with different iss claim will be rejected.

Example: https://foobar.auth0.comExample: 1234567-compute@developer.gserviceaccount.com
Yes
audiencesstring[]
The list of JWTaudiences.that are allowed to access. A JWT containing any of theseaudiences will be accepted.

The service name will be accepted if audiences is empty.

Example:


  1. audiences:
    - bookstore_android.apps.example.com
      bookstore_web.apps.example.com


No
jwksUristring
URL of the provider’s public key set to validate signature of theJWT. See OpenID Discovery.

Optional if the key set document can either (a) be retrieved fromOpenIDDiscovery ofthe issuer or (b) inferred from the email domain of the issuer (e.g. aGoogle service account).

Example: https://www.googleapis.com/oauth2/v1/certs

Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
No
jwksstring
JSON Web Key Set of public keys to validate signature of the JWT.See https://auth0.com/docs/jwks.

Note: Only one of jwks_uri and jwks should be used. jwks_uri will be ignored if it does.
No
fromHeadersJWTHeader[]
List of header locations from which JWT is expected. For example, below is the location specif JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:


  1.   fromHeaders:
      - name: x-jwt-assertion
        prefix: "Bearer "


No
fromParamsstring[]
List of query parameters from which JWT is expected. For example, if JWT is provided via queryparameter my_token (e.g /path?my_token=), the config is:


  1.   fromParams:
      - "my_token"


No
outputPayloadToHeaderstring
This field specifies the header name to output a successfully verified JWT payload to thebackend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,the payload will not be emitted.
No
forwardOriginalTokenbool
If set to true, the orginal token will be kept for the ustream request. Default is false.
No