Control access or route traffic based on verified claims in a JSON web token (JWT).

About JWTs

A JSON Web Token (JWT) is an open standard for securely sharing information between a client and your apps. JWTs are commonly used to support stateless, simple, scalable, and interoperable authentication and authorization flows.

For more information, refer to the following sources:

Common use cases

JSON Web Tokens (JWT) are commonly used to offload authentication and authorization code from your apps.

Keep in mind that JWT data is encoded but not encrypted. As such, consider using JWT policies with no personally identifiable information (PII) or sensitive data, and only on HTTPS traffic.

JWT structure

A JWT has three parts: header, payload, and signature. These three parts are base64 encoded, combined, and separated by the dot character (.) to form the final token. To review and decode JWTs, you can use a tool such as the jwt.io debugger. JWT parts are structured as follows:

Phase considerations for JWTs

You can apply a JWT policy before or after external authentication and authorization of a request. Where you place the JWT policy depends on many considerations that are unique to your environment, as compared in the following table. For more information about setting phases and priority, see the Phase API docs.

Consideration Before (Pre-AuthZ) After (Post-AuthZ)
Token source The JWT comes from a trusted source that the client already has before the request reaches the gateway. For example, the client might already be within your environment. The JWT comes from an external authentication provider, such as OIDC or SSO.
Authentication You want to filter out requests that do not already have a JWT. Or, you require external authentication only for requests with certain information that is within the JWT. You want to require authentication for all requests.
Security requirements You must validate a request's JWT claims before external authentication, such as if your apps receive requests from many untrusted or insecure sources. You must get a JWT from a certain OIDC provider before the request is validated.
Performance You want to filter out requests as soon as possibled based on the JWT. The JWT might have all the information to make authentication decisions and comes from a trusted source. This way, you do not need to perform an additional network hop to the external authentication provider. The JWT filtering happens within the gateway proxy. You might configure a request to authenticate with an external provider first. Aftewards, you use JWT validation to reduce the number of times that a request is sent for external authentication.
Filter order with other policies The JWT information is not needed for policies that happen before it in the pre-AuthZ filter order, such as transformation or rate limiting. The JWT information is used in complex authentication flows with policies that happen after it in the post-AuthZ filter order. For example, you might set up a complex flow to authenticate, extract, transform, and rate limit based on an appended claim to the JWT.

JWTs in Gloo Platform

With Gloo policies, you can restrict and route traffic based on information that you find in the JWT. Routing based on user identity in the JWT is more secure than unauthenticated HTTP requests from a path or header.

The guides in this JWT section provide several examples for configuring JWT policies.

You might also use JWT policies in combination with other Gloo resources, such as the following: