JSON Web Tokens (Enterprise)

This feature is available in Gloo Gateway Enterprise only. If you are using the open source version of Gloo, these instructions do not work.

What are JSON Web Tokens?

JSON Web Tokens, or JWT for short, are a standard way to carry verifiable identity information. This can be used for authentication. The advantage of using JWTs is that since they are a standard format and cryptographically signed, they can usually be verified without contacting an external authentication server. To support this use case, the application server verifying the JWTs needs to be setup with a private key for verification - JWTs signed by that key will be verified by the application server. Those who are not will be rejected (usually via an HTTP 401 response code).

JWTs are useful in various scenarios, such as:

How is a JWT structured?

A JWT has three parts:

All three parts are combined with the “.” character to form the final token. The header has some metadata on the JWT (like the signing algorithm). The payload carries claims that the token makes (more on that in the next section). And finally the signature part is a cryptographic signature that signs the header and the payload.

How does a JWT carry identity information?

Inside the JWT various claims are encoded; claims provide identity information. A few standard claims are:

See the JWT specification for a complete description of all standard claims.

The claims are encoded as a JSON object, and then encoded with base64 to form the payload of the JWT

How is a JWT verified?

Most commonly asymmetric encryption is used to sign JWTs. To verify them a public key is used. This has the advantage of making verification easy - the public key can be distributed as it is not secret and cannot be used to sign new JWTs. The JWT can be independently verified by anyone using the public key.

JWTs in Gloo Gateway

Gloo Gateway supports JWT verification using the JWT extension. You can define multiple JWT providers. In each provider you can specify where to find the keys required for JWT verification, the values for the issuer and audience claims to verify, as well as other settings .

We have a few guides that go into more detail: