Basic JWT policy
Learn the basics of setting up a JWT policy.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Create a JWT policy
Create a GlooTrafficPolicy to enforce JWT authentication.
kubectl apply -f- <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooTrafficPolicy metadata: name: jwt namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http glooJWT: beforeExtAuth: providers: selfminted: issuer: solo.io jwks: local: key: '{"keys":[{"kty":"RSA","kid":"solo-public-key-001","use":"sig","alg":"RS256","n":"AOfIaJMUm7564sWWNHaXt_hS8H0O1Ew59-nRqruMQosfQqa7tWne5lL3m9sMAkfa3Twx0LMN_7QqRDoztvV3Wa_JwbMzb9afWE-IfKIuDqkvog6s-xGIFNhtDGBTuL8YAQYtwCF7l49SMv-GqyLe-nO9yJW-6wIGoOqImZrCxjxXFzF6mTMOBpIODFj0LUZ54QQuDcD1Nue2LMLsUvGa7V1ZHsYuGvUqzvXFBXMmMS2OzGir9ckpUhrUeHDCGFpEM4IQnu-9U8TbAJxKE5Zp8Nikefr2ISIG2Hk1K2rBAc_HwoPeWAcAWUAR5tWHAxx-UXClSZQ9TMFK850gQGenUp8","e":"AQAB"}]}' EOFReview the following table to understand this configuration. For more information, see the API docs or the JWT guide for more examples.
Field Description targetRefsThe target to apply the JWT policy to. The example applies to the Gateway that you created before you began. To apply the policy to particular route, you can also target an HTTPRoute. glooJWTThe JWT policy rules to enforce. beforeExtAuthThe phase at which to enforce the JWT policy. In this example, you enforce the policy before any external auth filter is enforced. This means that the JWT is available for use by a subsequent external auth policy, if needed. providersThe JWT provider for Gloo to authenticate the JWT. selfmintedAn arbitrary name for the JWT provider. Because this example provides its own JWKS, the name selfmintedis used.issuerThe principal that issued the JWT, usually a URL or an email address. If specified, the issfield in the JWT of the incoming request must match this field, or else the request is denied. If omitted, theissfield in the JWT is not checked.jwksThe JSON Web Key Set (JWKS) to use to verify the JWT. In this example, a local JWKS is provided inline. To use JWTs with agentgateway enterprise, make sure that the JWTs return Key ID ( kid) and expiration date (exp) values in the JWT header.Send a request to the httpbin app. Verify that your request is denied and that you get back a 401 HTTP response code, because all routes on the gateway now require a valid JWT token from the provider.
Example output:
< HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < www-authenticate: Bearer realm="http://www.example.com:8080/headers" www-authenticate: Bearer realm="http://www.example.com:8080/headers" < content-length: 14 content-length: 14 < content-type: text/plain content-type: text/plain < date: Fri, 28 Jun 2024 02:19:00 GMT date: Fri, 28 Jun 2024 02:19:00 GMT < server: envoy server: envoy < * Connection #0 to host 34.XXX.XX.XXX left intact Jwt is missing%Create an environment variable to save the JWT tokens for the users Alice and Bob. You can optionally create other JWT tokens by using the JWT generator tool.
Save the JWT token for Alice. Alice works in the
devteam.export ALICE_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNvbG8tcHVibGljLWtleS0wMDEifQ.eyJpc3MiOiJzb2xvLmlvIiwib3JnIjoic29sby5pbyIsInN1YiI6ImFsaWNlIiwidGVhbSI6ImRldiIsImV4cCI6MjA3NDI3NDg4NCwibGxtcyI6eyJvcGVuYWkiOlsiZ3B0LTMuNS10dXJibyJdfX0.il5Rjsad65jpQR_pyRzBdEKFSj-ERmBf4K2VksvGvswWVv4n79lYERslr4KCECuiz9y_T-xUiQ9IkhW3YHzl5zo1kajhhIg7Nhnl1AvAqODbnF6wYpLRk0Npna_2T6lK3Yj54qQGi6vXG3IMRpo1_o2DrbdlKx2k_WFegCoQyyYazb4z3ZXfWvTiWqQDJA5wWcM3-jKzAWfNM8zgZWa-1BeAHDvpLcfWtuXEGSjkdCW0FQJOTjgIEqACnnXb2Jio0tWgelh9hDPILI-tvanj3iKCjpf3uF6g8QWSBNoVFfu7F1jJgj5Aj1sX8AV-CQVu2aQx3EHRZ1mL_3w3qSRWPwSave the JWT token for Bob. Bob works in the
opsteam.export BOB_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNvbG8tcHVibGljLWtleS0wMDEifQ.eyJpc3MiOiJzb2xvLmlvIiwib3JnIjoic29sby5pbyIsInN1YiI6ImJvYiIsInRlYW0iOiJvcHMiLCJleHAiOjIwNzQyNzQ5NTQsImxsbXMiOnsibWlzdHJhbGFpIjpbIm1pc3RyYWwtbGFyZ2UtbGF0ZXN0Il19fQ.GF_uyLpZSTT1DIvJeO_eish1WDjMaS4BQSifGQhqPRLjzu3nXtPkaBRjceAmJi9gKZYAzkT25MIrT42ZIe3bHilrd1yqittTPWrrM4sWDDeldnGsfU07DWJHyboNapYR-KZGImSmOYshJlzm1tT_Bjt3-RK3OBzYi90_wl0dyAl9D7wwDCzOD4MRGFpoMrws_OgVrcZQKcadvIsH8figPwN4mK1U_1mxuL08RWTu92xBcezEO4CdBaFTUbkYN66Y2vKSTyPCxg3fLtg1mvlzU1-Wgm2xZIiPiarQHt6Uq7v9ftgzwdUBQM1AYLvUVhCN6XkkR9OU3p0OXiqEDjAxcg
Send another request to the httpbin app. This time, you include Alice’s JWT token in the
Authorizationheader. Because these JWT tokens were signed by the JWT issuer that is used in the JWT policy, the request now succeeds. Verify that you get back a 200 HTTP response code.Example output:
< HTTP/1.1 200 OK HTTP/1.1 200 OK .... { "headers": { "Accept": [ "*/*" ], "Host": [ "www.example.com:8080" ], "User-Agent": [ "curl/7.77.0" ], "X-Envoy-Expected-Rq-Timeout-Ms": [ "15000" ], "X-Forwarded-Proto": [ "http" ], "X-Request-Id": [ "c7e10708-abda-42b7-833e-b6ac93252612" ] } }Repeat the request with Bob’s JWT token. Verify that the request succeeds with a 200 HTTP response code.
Example output:
< HTTP/1.1 200 OK HTTP/1.1 200 OK ...
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete GlooTrafficPolicy jwt -n gloo-system