JWT Plugin
The Enroute JWT filter/plugin can be used to verify JWT tokens in a request. The plugin is a global plugin and is attached to a service. When attached to a service, specific routes can be protected.
The JWT Plugin talks to an external JWKS provider to fetch the keys used for signing the JWT. The external JWKS provider can be an internal service or an external JWKS provider (eg: Okta, Ping Identity, Auth0 etc.)
The plugin performs JWT validation on a Bearer token present in the HTTP header. If the Bearer token JWT doesn’t validate, an error response with a is returned. Signing keys are loaded from a JWK Set that is loaded over HTTPs.
JWT System Diagram
- User makes a request [1]
- Enroute fetches keys from external JWKs provider (if not cached) [2,3]
- Enroute validates the JWT token using these keys
- If JWT is valid, request is passed to the backend service [4], else 401 Unauthorized is returned
JWT Filter Configuration
JWT filter configuration needs the following config
- An external JWKs provider
- configured as an Upstream for Standalone Gateway
- configured as a Service for Kubernetes Gateway
| JWKS Service for Kubernetes | JWKS Upstream for Standalone |
|---|
apiVersion: enroute.saaras.io/v1
kind: GatewayHost
metadata:
labels:
app: httpbin
name: httpbin
namespace: enroute-gw-k8s
spec:
virtualhost:
fqdn: '*'
filters:
- name: jwt_filter
type: http_filter_jwt
service:
name: jwks_provider
protocol: tls
port: 443
routes:
- match: /
services:
- name: httpbin
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: jwks_provider
namespace: enroute-gw-k8s
spec:
type: ExternalName
externalName: saaras.auth0.com
---
| UPSTREAM_NAME="jwks_provider"
UPSTREAM_TLS_IP="saaras.auth0.com"
UPSTREAM_TLS_PORT="443"
UPSTREAM_TLS_WEIGHT="100"
UPSTREAM_TLS_PROTO="tls"
curl -s -X POST localhost:1323/upstream \
-d "upstream_name"="${UPSTREAM_NAME}" \
-d "upstream_ip"="${UPSTREAM_IP}" \
-d "upstream_port"="${UPSTREAM_PORT}" \
-d "upstream_hc_path"="${UPSTREAM_HC_PATH}" \
-d "upstream_protocol"="${UPSTREAM_PROTO}" \
-d "upstream_weight"="${UPSTREAM_WEIGHT}"
|
| Field | Description |
|---|
| name | Name of Service that provides JWKS. |
| jwks_uri | URI Location of keys |
| audience | Audience for this API |
| issuer | Issuer for this API |
| route | A list of route (match conditions) for which JWT validation is enabled |
| jwt_service_name | Name of the service/upstream configured in previous step to reach jwks uri |
| jwt_service_port | Port on which this service can be reached |
| jwt_forward_header_name | Header in which JWT is forwarded to protected service. Leave empty to disable forwarding of JWT |
JWT Filter Config Example
{
"name" : "auth0",
"jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
"audience" : "api-identifier",
"issuer" : "https://saaras.auth0.com/",
"route" : [{"prefix" : "/"}],
"jwt_service_name" : "auth0",
"jwt_service_port" : 443,
"jwt_forward_header_name" : "x-jwt-token"
}
Notes
JWKS Provider Okta
This section describes how Enroute can be configured to use Okta as JWKS provider
Note the authorization server configuration on Okta above. These values are provided to filter config
| JWT Filter Config for Kubernetes | JWT Filter Config for Standalone |
|---|
---
apiVersion: enroute.saaras.io/v1
kind: HttpFilter
metadata:
name: jwt_filter_okta_k8s
namespace: enroute-gw-k8s
spec:
name: jwt_filter_okta
type: http_filter_jwt
httpFilterConfig: |
{
"name" : "okta",
"jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys",
"audience" : "api://default",
"issuer" : "https://dev-367091.okta.com/oauth2/default",
"route" : [{"prefix" : "/"}],
"jwt_service_name" : "okta",
"jwt_service_port" : 443,
"jwt_forward_header_name" : "x-jwt-token"
}
---
| JWT_FILTER_NAME="jwt_filter_okta"
JWT_FILITER_TYPE="http_filter_jwt"
JWT_CONFIG='
{
"name" : "okta",
"jwks_uri" : "https://dev-367091.okta.com/oauth2/default/v1/keys",
"audience" : "api://default",
"issuer" : "https://dev-367091.okta.com/oauth2/default",
"route" : [{"prefix" : "/"}],
"jwt_service_name" : "okta",
"jwt_service_port" : 443,
"jwt_forward_header_name" : "x-jwt-token"
}
'
curl -s -X POST localhost:1323/filter \
-d "filter_name=${JWT_FILTER_NAME}" \
-d "filter_type=${JWT_FILTER_TYPE}" \
-d "filter_config"="${JWT_CONFIG}"
|
JWKS Provider Auth0
This section describes how Enroute can be configured to use Auth0 as JWKS provider
Note the JSON Web key set configuration for Auth0 above. These values are provided to filter config
Note the Domain configuration for auth0 above. These values are provided to filter config
Note the Identifier configuration for auth0 above. These values are provided to filter config
| JWT Filter Config for Kubernetes | JWT Filter Config for Standalone |
|---|
---
apiVersion: enroute.saaras.io/v1
kind: HttpFilter
metadata:
name: jwt_filter_auth0_k8s
namespace: enroute-gw-k8s
spec:
name: jwt_filter_auth0
type: http_filter_jwt
httpFilterConfig: |
{
"name" : "auth0",
"jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
"audience" : "api-identifier",
"issuer" : "https://saaras.auth0.com/",
"route" : [{"prefix" : "/"}],
"jwt_service_name" : "auth0",
"jwt_service_port" : 443,
"jwt_forward_header_name" : "x-jwt-token"
}
---
| JWT_FILTER_NAME="jwt_filter_auth0"
JWT_FILITER_TYPE="http_filter_jwt"
JWT_CONFIG='
{
"name" : "auth0",
"jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
"audience" : "api-identifier",
"issuer" : "https://saaras.auth0.com/",
"route" : [{"prefix" : "/"}],
"jwt_service_name" : "auth0",
"jwt_service_port" : 443,
"jwt_forward_header_name" : "x-jwt-token"
}
'
curl -s -X POST localhost:1323/filter \
-d "filter_name=${JWT_FILTER_NAME}" \
-d "filter_type=${JWT_FILTER_TYPE}" \
-d "filter_config"="${JWT_CONFIG}"
|
