Package : security.policy.gloo.solo.io



Table of Contents


JWTPolicy used to enable JWT Authentication for routes

Field Type Label Description
applyToRoutes []common.gloo.solo.io.RouteSelector repeated Select the routes where the policy will be applied. If left empty, no policy will be applied to any routes in the workspace.
config security.policy.gloo.solo.io.JWTPolicySpec.Config The details of the JWT policy to apply to the selected routes.
Example: Sample JWT Payload: { “org”: “solo-io”, “iss”: “https://localhost”, “exp”: 4804324736, “iat”: 1648651136 }
Configuration below will enable JWT Authentication for selected routes as well as inject a header into the request containing the value found within the parsed claim if it exists. Empty sources default to extracting JWTs from Authorization Header with prefix “Bearer ”” or Query Param “access_token="
apiVersion: security.policy.gloo.solo.io/v2 kind: JWTPolicy metadata: name: namespace: spec: config: providers: <provider_name>: issuer: “https://localhost” local: inline:


Field Type Label Description
providers []security.policy.gloo.solo.io.JWTPolicySpec.Config.ProvidersEntry repeated Map provider name to jwt provider configuration.
Note: The JWT provider name can help you map the JWT policy to the provider, such as when debugging and viewing logs. However, the JWT provider name does not change your policy's behavior, and cannot be used by other resources to select the policy.
phase common.gloo.solo.io.PrioritizedPhase Use phase to indicate where in the request chain this JWT Filter should be applied. If no phase is specified, the default will be post AuthZ.


Specifies how a JWT should be verified.

Field Type Label Description
issuer string Optional: The principal that issued the JWT, usually a URL or an email address. If specified, the iss field in JWT token in the incoming request has to match this field else the request is denied. If left empty the iss field in the JWT token is not checked.
audiences []string repeated Optional: A list of intended audiences for this JWT token. A JWT containing any of these audiences will be accepted. If not specified, the audiences in JWT will not be checked.
tokenSource security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.TokenSource Optional: If no explicit location is specified, the following default locations are tried in order:
1. The Authorization header using the Bearer
Authorization: Bearer .
2. access_token query parameter
Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations its provider specified or from the default locations. Note if a single request contains multiple sources e.g header and query param set, then all tokens found in the request will need to be valid for the request to be accepted. Configured fields are case sensitive will be matched verbatim
local security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.LocalJWKS Local can be either inline raw string of public jwks or kubernetes secret reference.
remote security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.RemoteJWKS JWKS from remote url source.
claimsToHeaders []security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.ClaimsToHeader repeated Optional: What claims should be copied to upstream headers.


Allows copying verified claims to headers sent upstream

Field Type Label Description
claim string Claim name. for example, “sub”
header string The header the claim will be copied to. for example, “x-sub”.
append bool If the header exists, append to it (true), or overwrite it (false).


Field Type Label Description
secretRef security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.LocalJWKS.SecretRef Reference to a secret containing the PEM formatted public key.
inline string Inline PEM formatted public key.


Field Type Label Description
objectRef common.gloo.solo.io.ObjectReference Secret can be referenced explicitly by the namespace and cluster containing them.
key string Key of data within specified secret.


Field Type Label Description
url string The url used when accessing the remote destination for Json Web Key Set. This is used to set the host and path in the request
destinationRef common.gloo.solo.io.DestinationReference The remote destination representing the Json Web Key Set server
cacheDuration google.protobuf.Duration Duration after which the cached JWKS should be expired.
If not specified, default cache duration is 5 minutes.
timeout google.protobuf.Duration Sets the maximum duration in seconds that a response can take to arrive upon request.
If left empty, defaults to 5s
enableAsyncFetch bool Fetch Jwks asynchronously in the main thread before the listener is activated. Fetched Jwks can be used by all worker threads.
If this feature is not enabled:
* The Jwks is fetched on-demand when the requests come. During the fetching, first few requests are paused until the Jwks is fetched. * Each worker thread fetches its own Jwks since Jwks cache is per worker thread.
If this feature is enabled:
* Fetched Jwks is done in the main thread before the listener is activated. Its fetched Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own. * Jwks is ready when the requests come, not need to wait for the Jwks fetching.


Optional: Where to extract JWT Token in HTTP Request
If left empty, defaults to Header “Authorization: Bearer ” or Query Param “access_token=

Field Type Label Description
headers []security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider.TokenSource.fromHeader repeated Try to retrieve token from these headers
queryParams []string repeated Try to retrieve token from these query params


Describes how to retrieve a JWT from a header

Field Type Label Description
name string The name of header. E.g: “Authorization”
prefix string Prefix before the token. for example, “Bearer " with space


Field Type Label Description
key string
value security.policy.gloo.solo.io.JWTPolicySpec.Config.Provider


reflects the status of the JWTPolicyStatus

Field Type Label Description
global common.gloo.solo.io.GenericGlobalStatus
workspaces []security.policy.gloo.solo.io.JWTPolicyStatus.WorkspacesEntry repeated The status of the resource in each workspace that it exists in.
selectedRoutes []common.gloo.solo.io.RouteReference repeated Routes selected by the policy


Field Type Label Description
key string
value common.gloo.solo.io.WorkspaceStatus