JwtPolicy
Proto: jwt_policy.proto
Package: security.policy.gloo.solo.io
Types:
JWTPolicyReport
Field | Description |
---|---|
workspaces |
(repeated JWTPolicyReport.WorkspacesEntry )The status of the resource in each workspace that it exists in. |
selectedRoutes |
(repeated common.gloo.solo.io.RouteReference )A list of references to all routes selected by the policy. |
JWTPolicyReport.WorkspacesEntry
Field | Description |
---|---|
key |
(string ) |
value |
(common.gloo.solo.io.Report ) |
JWTPolicySpec
JWTPolicy used to enable JWT Authentication for routes.
Example: Sample JWT Payload:
{
"org": "solo-io",
"iss": "https://localhost",
"exp": 4804324736,
"iat": 1648651136
}
Configuration below will enable JWT Authentication for selected routes
as well as inject a header into the request containing the value found
within the parsed claim if it exists. Empty sources default to extracting
JWTs from Authorization Header with prefix “Bearer
apiVersion: security.policy.gloo.solo.io/v2
kind: JWTPolicy
metadata:
name: <name>
namespace: <namespace>
spec:
config:
providers:
<provider_name>:
issuer: "https://localhost"
local:
inline: |
<pem formatted public key>
claimsToHeaders:
- claim: org
header: x-org
stage: PRE_AUTHZ
This example enables JWT Authentication for selected routes and
request will be checked using token found at either X-Auth header with prefix
“Bearer
apiVersion: security.policy.gloo.solo.io/v2
kind: JWTPolicy
metadata:
name: <name>
namespace: <namespace>
spec:
config:
providers:
<provider_name>:
issuer: "https://localhost"
local:
inline: |
<pem formatted public key>
tokenSource:
header:
- name: "X-Auth"
prefix: "Bearer"
queryParams:
- "auth_token"
stage: PRE_AUTHZ
Field | Description |
---|---|
applyToRoutes |
(repeated common.gloo.solo.io.RouteSelector )Select the routes where the policy will be applied. If left empty, no policy will be applied to any routes in the workspace. |
config |
(JWTPolicySpec.Config )The details of the JWT policy to apply to the selected routes. |
JWTPolicySpec.Config
Field | Description |
---|---|
providers |
(repeated JWTPolicySpec.Config.ProvidersEntry )Map provider name to jwt provider configuration. Note: The JWT provider name can help you map the JWT policy to the provider, such as when debugging and viewing logs. However, the JWT provider name does not change your policy's behavior, and cannot be used by other resources to select the policy. |
phase |
(common.gloo.solo.io.PrioritizedPhase )Use phase to indicate where in the request chain this JWT Filter should be applied. If no phase is specified, the default will be post AuthZ. |
allowMissingOrFailed |
(bool )Allow requests to succeed even if JWT authentication is missing or fails. For example, you might apply multiple policies to your routes to require JWT auth OR another method such as external auth. Set this value to “true” to allow a failed JWT auth request to pass through to the other authentication method. By default, this value is “false” so that requests that fail JWT authentication then fail authorization immediately. |
clearRouteCache |
(JWTPolicySpec.Config.ClearRouteCache )Optional: Decide whether to clear the route cache after the JWT filter. By clearing the route cache, the gateway recomputes route matching. This way, you can configure traffic rules after JWT auth, such as claim-based routing on cleared routes or direct response on cached routes. Defaults to the ‘AUTO’ option. |
claims |
(repeated JWTPolicySpec.Config.ClaimMatcher )Optional: Claims configures a list of arbitrary, claim-based JWT authorization rules. Each claim rule will be logically AND'd together internally. Any individual claim key that specifies multiple values will be logical OR'd together. |
requiredScopes |
(repeated string )Optional: Scopes configures an unordered list of required JWT scopes. If the JWT contains all of the scopes specified in this list, the request will be allowed. If the JWT does not contain all of the scopes specified in this list, the request will be denied. An empty list will skip scope validation. |
JWTPolicySpec.Config.ClaimMatcher
ClaimMatcher configures a list of claim-based JWT authorization rules.
Field | Description |
---|---|
key |
(string )key is the name of the JWT claim key. |
values |
(repeated string )Optional. A list of allowed values for the JWT claim. Note: at least one of values or not_values must be set. |
notValues |
(repeated string )Optional. A list of values that should not exist for the JWT claim. Note: at least one of values or not_values must be set. |
JWTPolicySpec.Config.Provider
Specifies how a JWT should be verified.
Field | Description |
---|---|
issuer |
(string )Optional: The principal that issued the JWT, usually a URL or an email address. If specified, the iss field in JWT token in the incoming request has to match this field else the request is denied. If left empty the iss field in the JWT token is not checked. |
audiences |
(repeated string )Optional: A list of intended audiences for this JWT token. A JWT containing any of these audiences will be accepted. If not specified, the audiences in JWT will not be checked. |
tokenSource |
(JWTPolicySpec.Config.Provider.TokenSource )Optional: If no explicit location is specified, the following default locations are tried in order: 1. The Authorization header using the Bearer Authorization: Bearer 2. access_token query parameterhttps:// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Note if a single request contains multiple sources e.g header and query param set, then all tokens found in the request will need to be valid for the request to be accepted. Configured fields are case sensitive will be matched verbatim |
local |
(JWTPolicySpec.Config.Provider.LocalJWKS )Local can be either inline raw string of public jwks or kubernetes secret reference. |
remote |
(JWTPolicySpec.Config.Provider.RemoteJWKS )JWKS from remote url source. |
claimsToHeaders |
(repeated JWTPolicySpec.Config.Provider.ClaimsToHeader )Optional: What claims should be copied to upstream headers. |
keepToken |
(bool )Optional: KeepToken is used to keep the JWT in the request post verification. |
clockSkewSeconds |
(google.protobuf.UInt32Value )Optional: ClockSkewSeconds is used to verify time constraints, such as exp and npf . Default is 60s For information about the value format, see the Google protocol buffer documentation. |
JWTPolicySpec.Config.Provider.ClaimsToHeader
Allows copying verified claims to headers sent upstream
Field | Description |
---|---|
claim |
(string )Claim name. for example, “sub” |
header |
(string )The header the claim will be copied to. for example, “x-sub”. |
append |
(bool )If the header exists, append to it (true), or overwrite it (false). |
JWTPolicySpec.Config.Provider.LocalJWKS
Field | Description |
---|---|
secretRef |
(JWTPolicySpec.Config.Provider.LocalJWKS.SecretRef )Reference to a secret containing the PEM formatted public key. |
inline |
(string )Inline PEM formatted public key. |
JWTPolicySpec.Config.Provider.LocalJWKS.SecretRef
Field | Description |
---|---|
objectRef |
(common.gloo.solo.io.ObjectReference )Secret can be referenced explicitly by the namespace and cluster containing them. |
key |
(string )Key of data within specified secret. |
JWTPolicySpec.Config.Provider.RemoteJWKS
Field | Description |
---|---|
url |
(string )The url used when accessing the remote destination for Json Web Key Set. This is used to set the host and path in the request |
destinationRef |
(common.gloo.solo.io.DestinationReference )The remote destination representing the Json Web Key Set server |
cacheDuration |
(google.protobuf.Duration )Duration after which the cached JWKS should be expired. If not specified, default cache duration is 5 minutes. For information about the value format, see the Google protocol buffer documentation. |
timeout |
(google.protobuf.Duration )Sets the maximum duration in seconds that a response can take to arrive upon request. If left empty, defaults to 5s For information about the value format, see the Google protocol buffer documentation. |
enableAsyncFetch |
(bool )Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads. If this feature is not enabled: * The Jwks is fetched on-demand when the requests come. During the fetching, first few requests are paused until the Jwks is fetched. * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. If this feature is enabled: * Fetched Jwks is done in the main thread before the listener is activated. Its fetched Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own. * Jwks is ready when the requests come, not need to wait for the Jwks fetching. |
JWTPolicySpec.Config.Provider.TokenSource
Optional: Where to extract JWT Token in HTTP Request
If left empty, defaults to Header “Authorization: Bearer
Field | Description |
---|---|
headers |
(repeated JWTPolicySpec.Config.Provider.TokenSource.fromHeader )Try to retrieve token from these headers |
queryParams |
(repeated string )Try to retrieve token from these query params |
JWTPolicySpec.Config.Provider.TokenSource.fromHeader
Describes how to retrieve a JWT from a header
Field | Description |
---|---|
name |
(string )The name of header. E.g: “Authorization” |
prefix |
(string )Prefix before the token. for example, “Bearer " with space |
JWTPolicySpec.Config.ProvidersEntry
Field | Description |
---|---|
key |
(string ) |
value |
(JWTPolicySpec.Config.Provider ) |
JWTPolicyStatus
reflects the status of the JWTPolicyStatus
Field | Description |
---|---|
common |
(common.gloo.solo.io.Status ) |
numSelectedRoutes |
(uint32 )The number of routes selected by the policy. |
JWTPolicySpec.Config.ClearRouteCache
Name | Number | Description |
---|---|---|
AUTO |
0 | The default behavior, which clears the route cache when the auth response is successful or if the JWT policy adds a claim in the ‘claimsToHeader’ field. This way, the gateway recomputes route matching, such as to route traffic based on the claims you add in the JWT policy. |
FALSE |
1 | Set to false so that the route cache is not cleared after the JWT filter. This way, you can configure traffic rules based on routing details from both before and after the JWT filter. For example, you might want to reject with a direct response any requests that send a header that is also set in the JWT policy's ‘claimsToHeader’ field. |
TRUE |
2 | Set to true so that the route cache is always cleared after the JWT filter. This way, the gateway recomputes route matching, such as to route traffic based on the claims you add in the JWT policy. |