Validate JWT Tokens

JWT Plugin

The Enroute JWT filter/plugin can be used to verify JWT tokens in a request. The plugin is a global plugin and is attached to a service. When attached to a service, specific routes can be protected.

The JWT Plugin talks to an external JWKS provider to fetch the keys used for signing the JWT. The external JWKS provider can be an internal service or an external JWKS provider (eg: Okta, Ping Identity, Auth0 etc.)

The plugin performs JWT validation on a Bearer token present in the HTTP header. If the Bearer token JWT doesn’t validate, an error response with a is returned. Signing keys are loaded from a JWK Set that is loaded over HTTPs.

JWT System Diagram

User makes a request [1]
Enroute fetches keys from external JWKs provider (if not cached) [2,3]
Enroute validates the JWT token using these keys
If JWT is valid, request is passed to the backend service [4], else 401 Unauthorized is returned

JWT Filter Configuration

JWT filter configuration needs the following config

An external JWKs provider
- configured as an Upstream for Standalone Gateway
- configured as a Service for Kubernetes Gateway

JWKS Service for Kubernetes JWKS Upstream for Standalone

JWKS Service for Kubernetes	JWKS Upstream for Standalone
`apiVersion: enroute.saaras.io/v1beta1 kind: GatewayHost metadata: labels: app: httpbin name: httpbin namespace: enroute-gw-k8s spec: virtualhost: fqdn: '*' filters: - name: jwt_filter type: http_filter_jwt service: name: jwks_provider protocol: tls port: 443 routes: - match: / services: - name: httpbin port: 80 --- apiVersion: v1 kind: Service metadata: name: jwks_provider namespace: enroute-gw-k8s spec: type: ExternalName externalName: saaras.auth0.com ---`	`UPSTREAM_NAME="jwks_provider" UPSTREAM_TLS_IP="saaras.auth0.com" UPSTREAM_TLS_PORT="443" UPSTREAM_TLS_WEIGHT="100" UPSTREAM_TLS_PROTO="tls" curl -s -X POST localhost:1323/upstream \ -d "upstream_name"="${UPSTREAM_NAME}" \ -d "upstream_ip"="${UPSTREAM_IP}" \ -d "upstream_port"="${UPSTREAM_PORT}" \ -d "upstream_hc_path"="${UPSTREAM_HC_PATH}" \ -d "upstream_protocol"="${UPSTREAM_PROTO}" \ -d "upstream_weight"="${UPSTREAM_WEIGHT}"`

apiVersion: enroute.saaras.io/v1beta1
kind: GatewayHost
metadata:
  labels:
    app: httpbin
  name: httpbin
  namespace: enroute-gw-k8s
spec:
  virtualhost:
    fqdn: '*'
    filters:
      - name: jwt_filter
        type: http_filter_jwt
        service:
          name: jwks_provider
          protocol: tls
          port: 443 
  routes:
    - match: /
      services:
        - name: httpbin
          port: 80
---
apiVersion: v1
kind: Service
metadata:
  name: jwks_provider
  namespace: enroute-gw-k8s
spec:
  type: ExternalName
  externalName: saaras.auth0.com
---

UPSTREAM_NAME="jwks_provider"
UPSTREAM_TLS_IP="saaras.auth0.com"
UPSTREAM_TLS_PORT="443"
UPSTREAM_TLS_WEIGHT="100"
UPSTREAM_TLS_PROTO="tls"

curl -s -X POST localhost:1323/upstream \
    -d "upstream_name"="${UPSTREAM_NAME}" \
    -d "upstream_ip"="${UPSTREAM_IP}" \
    -d "upstream_port"="${UPSTREAM_PORT}" \
    -d "upstream_hc_path"="${UPSTREAM_HC_PATH}" \
    -d "upstream_protocol"="${UPSTREAM_PROTO}" \
    -d "upstream_weight"="${UPSTREAM_WEIGHT}"

JWT Filter config

Field	Description
name	Name of Service that provides JWKS.
jwks_uri	URI Location of keys
audience	Audience for this API
issuer	Issuer for this API
route	A list of route (match conditions) for which JWT validation is enabled
jwt_service_name	Name of the service/upstream configured in previous step to reach jwks uri
jwt_service_port	Port on which this service can be reached
jwt_forward_header_name	Header in which JWT is forwarded to protected service. Leave empty to disable forwarding of JWT

JWT Filter Config Example

{
  "name" : "auth0",
  "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
  "audience" : "api-identifier",
  "issuer" : "https://saaras.auth0.com/",
  "route" : [{"prefix" : "/"}],
  "jwt_service_name" : "auth0",
  "jwt_service_port" : 443,
  "jwt_forward_header_name" : "x-jwt-token"
}

Notes

JWKS Provider Okta

This section describes how Enroute can be configured to use Okta as JWKS provider

Note the authorization server configuration on Okta above. These values are provided to filter config

JWT Filter Config for Kubernetes JWT Filter Config for Standalone

JWT Filter Config for Kubernetes	JWT Filter Config for Standalone
`--- apiVersion: enroute.saaras.io/v1beta1 kind: HttpFilter metadata: name: jwt_filter_okta_k8s namespace: enroute-gw-k8s spec: name: jwt_filter_okta type: http_filter_jwt httpFilterConfig: \| { "name" : "okta", "jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys", "audience" : "api://default", "issuer" : "https://dev-367091.okta.com/oauth2/default", "route" : [{"prefix" : "/"}], "jwt_service_name" : "okta", "jwt_service_port" : 443, "jwt_forward_header_name" : "x-jwt-token" } ---`	JWT_FILTER_NAME="jwt_filter_okta" JWT_FILITER_TYPE="http_filter_jwt" JWT_CONFIG=' { "name" : "okta", "jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys", "audience" : "api://default", "issuer" : "https://dev-367091.okta.com/oauth2/default", "route" : [{"prefix" : "/"}], "jwt_service_name" : "okta", "jwt_service_port" : 443, "jwt_forward_header_name" : "x-jwt-token" } ' curl -s -X POST localhost:1323/filter \ -d "filter_name=${JWT_FILTER_NAME}" \ -d "filter_type=${JWT_FILTER_TYPE}" \ -d "filter_config"="${JWT_CONFIG}"

---
apiVersion: enroute.saaras.io/v1beta1
kind: HttpFilter
metadata:
  name: jwt_filter_okta_k8s
  namespace: enroute-gw-k8s
spec:
  name: jwt_filter_okta
  type: http_filter_jwt
  httpFilterConfig: |
   {
     "name" : "okta",
     "jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys",
     "audience" : "api://default",
     "issuer" : "https://dev-367091.okta.com/oauth2/default",
     "route" : [{"prefix" : "/"}],
     "jwt_service_name" : "okta",
     "jwt_service_port" : 443,
     "jwt_forward_header_name" : "x-jwt-token"
   }
---

JWT_FILTER_NAME="jwt_filter_okta"
JWT_FILITER_TYPE="http_filter_jwt"
JWT_CONFIG='
{
  "name" : "okta",
  "jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys",
  "audience" : "api://default",
  "issuer" : "https://dev-367091.okta.com/oauth2/default",
  "route" : [{"prefix" : "/"}],
  "jwt_service_name" : "okta",
  "jwt_service_port" : 443,
  "jwt_forward_header_name" : "x-jwt-token"
}
'
curl -s -X POST localhost:1323/filter   \
    -d "filter_name=${JWT_FILTER_NAME}" \
    -d "filter_type=${JWT_FILTER_TYPE}" \
    -d "filter_config"="${JWT_CONFIG}"

JWKS Provider Auth0

This section describes how Enroute can be configured to use Auth0 as JWKS provider

Note the JSON Web key set configuration for Auth0 above. These values are provided to filter config

Note the Domain configuration for auth0 above. These values are provided to filter config

Note the Identifier configuration for auth0 above. These values are provided to filter config

JWT Filter Config for Kubernetes JWT Filter Config for Standalone

JWT Filter Config for Kubernetes	JWT Filter Config for Standalone
`--- apiVersion: enroute.saaras.io/v1beta1 kind: HttpFilter metadata: name: jwt_filter_auth0_k8s namespace: enroute-gw-k8s spec: name: jwt_filter_auth0 type: http_filter_jwt httpFilterConfig: \| { "name" : "auth0", "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", "audience" : "api-identifier", "issuer" : "https://saaras.auth0.com/", "route" : [{"prefix" : "/"}], "jwt_service_name" : "auth0", "jwt_service_port" : 443, "jwt_forward_header_name" : "x-jwt-token" } ---`	JWT_FILTER_NAME="jwt_filter_auth0" JWT_FILITER_TYPE="http_filter_jwt" JWT_CONFIG=' { "name" : "auth0", "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json", "audience" : "api-identifier", "issuer" : "https://saaras.auth0.com/", "route" : [{"prefix" : "/"}], "jwt_service_name" : "auth0", "jwt_service_port" : 443, "jwt_forward_header_name" : "x-jwt-token" } ' curl -s -X POST localhost:1323/filter \ -d "filter_name=${JWT_FILTER_NAME}" \ -d "filter_type=${JWT_FILTER_TYPE}" \ -d "filter_config"="${JWT_CONFIG}"

---
apiVersion: enroute.saaras.io/v1beta1
kind: HttpFilter
metadata:
  name: jwt_filter_auth0_k8s
  namespace: enroute-gw-k8s
spec:
  name: jwt_filter_auth0
  type: http_filter_jwt
  httpFilterConfig: |
  	{
  	  "name" : "auth0",
  	  "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
  	  "audience" : "api-identifier",
  	  "issuer" : "https://saaras.auth0.com/",
  	  "route" : [{"prefix" : "/"}],
  	  "jwt_service_name" : "auth0",
  	  "jwt_service_port" : 443,
  	  "jwt_forward_header_name" : "x-jwt-token"
  	}
---

JWT_FILTER_NAME="jwt_filter_auth0"
JWT_FILITER_TYPE="http_filter_jwt"
JWT_CONFIG='
{
    "name" : "auth0",
    "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
    "audience" : "api-identifier",
    "issuer" : "https://saaras.auth0.com/",
    "route" : [{"prefix" : "/"}],
    "jwt_service_name" : "auth0",
    "jwt_service_port" : 443,
    "jwt_forward_header_name" : "x-jwt-token"
}
'
curl -s -X POST localhost:1323/filter   \
    -d "filter_name=${JWT_FILTER_NAME}" \
    -d "filter_type=${JWT_FILTER_TYPE}" \
    -d "filter_config"="${JWT_CONFIG}"

JWT Plugin is in private beta

JWT Plugin is currently available in private beta. If you’d like to evaluate it, please get in touch with us.