Overview
Control access or route traffic based on verified claims in a JSON web token (JWT).
This feature is an Enterprise-only feature that requires a Gloo Gateway Enterprise license.
About JWTs
A JSON Web Token (JWT) is an open standard for securely sharing information between a client and your apps. JWTs are commonly used to support stateless, simple, scalable, and interoperable authentication and authorization flows.
For more information, refer to the following sources:
- RFC 7519, JWT specification
- Auth0 overview about JWT
- Gloo JWT policy API docs
- Istio docs for JWT tokens and JWT claim-based routing
Common use cases
JSON Web Tokens (JWT) are commonly used to offload authentication and authorization code from your apps.
- Authentication: Instead of storing user session information server-side which can lead to scalability issues, you set up a JWT issuer, such as an OpenID Connect (OIDC) or Single Sign-on (SSO) provider. After a user authenticates, the provider returns a JWT in the response that is stored client-side. Subsequent requests from the client include the JWT, which is faster to verify than performing the entire authentication and authorization process again.
- Authorization: JWTs can have custom claims that can define a user’s scope, role, or other permissions. You can use these claims in combination with other policies to enforce fine-grained access control to your apps. By including the claim information within the JWT, the authorization process can happen faster and more scalably.
- Secure information exchange: Because the token is in JSON format, many otherwise incompatible systems and services can use the token to exchange information. The authentication and authorization features built into the token help these systems validate and trust the information.
Keep in mind that JWT data is encoded but not encrypted. As such, consider using JWT policies with no personally identifiable information (PII) or sensitive data, and only on HTTPS traffic.
JWT structure
A JWT has three parts: header, payload, and signature. These three parts are base64 encoded, combined, and separated by the dot character (.
) to form the final token. To review and decode JWTs, you can use a tool such as the jwt.io debugger.
JWT parts are structured as follows:
- A header with metadata, such as the signing algorithm.
- A payload of user information or “claims” that provide identity information, such as the following common claims:
- The seven reserved claims per the RFC 7519 spec. The most common are:
iss
: The entity that issued the token.sub
: The subject of the token, usually a user ID.aud
: The audience the token is issued for, important for security purposes so that the token is not used for other purposes.
- Additional registered claims per the OpenID Connect Core to encourage interoperability, such as
email
,scope
, orclient_id
. For more information, see IANA JSON Web Token Claims. - Additional custom claims that you or your OIDC provider create. For an example, see the Auth0 docs.
- The seven reserved claims per the RFC 7519 spec. The most common are:
- A signature that signs the header and payload
JWT verification
The JWT signature is used to verify that the token’s integrity and authenticity. The signature is typically created by using asymmetric encryption with a private and public key. The JWT token is signed by using the private key. To verify the token, a public key is used. The public key can be shared and distributed because it cannot be used to sign new JWTs.