Validate JWT Tokens

EnRoute Technical Reference

JWT Plugin

The Enroute JWT filter/plugin can be used to verify JWT tokens in a request. The plugin is a global plugin and is attached to a service. When attached to a service, specific routes can be protected.

The JWT Plugin talks to an external JWKS provider to fetch the keys used for signing the JWT. The external JWKS provider can be an internal service or an external JWKS provider (eg: Okta, Ping Identity, Auth0 etc.)

The plugin performs JWT validation on a Bearer token present in the HTTP header. If the Bearer token JWT doesn’t validate, an error response with a is returned. Signing keys are loaded from a JWK Set that is loaded over HTTPs.

JWT System Diagram

Enroute JWKs
  • User makes a request [1]
  • Enroute fetches keys from external JWKs provider (if not cached) [2,3]
  • Enroute validates the JWT token using these keys
  • If JWT is valid, request is passed to the backend service [4], else 401 Unauthorized is returned

JWT Filter Configuration

JWT filter configuration needs the following config

  • An external JWKs provider
    • configured as an Upstream for Standalone Gateway
    • configured as a Service for Kubernetes Gateway
JWKS Service for KubernetesJWKS Upstream for Standalone

apiVersion: enroute.saaras.io/v1
kind: GatewayHost
metadata:
  labels:
    app: httpbin
  name: httpbin
  namespace: enroute-gw-k8s
spec:
  virtualhost:
    fqdn: '*'
  routes:
    - match: /
      services:
        - name: httpbin
          port: 80
---
apiVersion: v1
kind: Service
metadata:
  name: jwks_provider
  namespace: enroute-gw-k8s
spec:
  type: ExternalName
  externalName: saaras.auth0.com
---


UPSTREAM_NAME="jwks_provider"
UPSTREAM_TLS_IP="saaras.auth0.com"
UPSTREAM_TLS_PORT="443"
UPSTREAM_TLS_WEIGHT="100"
UPSTREAM_TLS_PROTO="tls"

curl -s -X POST localhost:1323/upstream \
    -d "upstream_name"="${UPSTREAM_NAME}" \
    -d "upstream_ip"="${UPSTREAM_IP}" \
    -d "upstream_port"="${UPSTREAM_PORT}" \
    -d "upstream_hc_path"="${UPSTREAM_HC_PATH}" \
    -d "upstream_protocol"="${UPSTREAM_PROTO}" \
    -d "upstream_weight"="${UPSTREAM_WEIGHT}"

  • JWT Filter config
FieldDescription
nameName of Service that provides JWKS.
jwks_uriURI Location of keys
audienceAudience for this API
issuerIssuer for this API
routeA list of route (match conditions) for which JWT validation is enabled
jwt_service_nameName of the service/upstream configured in previous step to reach jwks uri
jwt_service_portPort on which this service can be reached
jwt_forward_header_nameHeader in which JWT is forwarded to protected service. Leave empty to disable forwarding of JWT
routeSpecifies matching prefix and route for which JWT is verified
JWKS Provider Auth0

This section describes how Enroute can be configured to use Auth0 as JWKS provider

Enroute JWKs

Note the JSON Web key set configuration for Auth0 above. These values are provided to filter config

Enroute JWKs

Note the Domain configuration for auth0 above. These values are provided to filter config

Enroute JWKs

Note the Identifier configuration for auth0 above. These values are provided to filter config

JWT Filter Config for KubernetesJWT Filter Config for Standalone

---
apiVersion: enroute.saaras.io/v1
kind: HttpFilter
metadata:
  labels:
    app: httpbin-app
  name: httpbin-80-jwtfilter
  namespace: httpbin
spec:
  httpFilterConfig:
    config: |
      {
        "name" : "auth0",
        "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
        "audience" : "api-identifier",
        "issuer" : "https://saaras.auth0.com/",
        "route" : [{"prefix" : "/"}],
        "jwt_service_name" : "auth0",
        "jwt_service_port" : 443,
        "jwt_forward_header_name" : "x-jwt-token"
      }
  name: httpbin-80-jwtfilter
  services:
    name: httpbin-80-externalauth
    port: 443
    protocol: tls
  type: http_filter_jwt

---
JWT_FILTER_NAME="jwt_filter_auth0"
JWT_FILITER_TYPE="http_filter_jwt"
JWT_CONFIG='
{
    "name" : "auth0",
    "jwks_uri" : "https://saaras.auth0.com/.well-known/jwks.json",
    "audience" : "api-identifier",
    "issuer" : "https://saaras.auth0.com/",
    "route" : [{"prefix" : "/"}],
    "jwt_service_name" : "auth0",
    "jwt_service_port" : 443,
    "jwt_forward_header_name" : "x-jwt-token"
}
'
curl -s -X POST localhost:1323/filter   \
    -d "filter_name=${JWT_FILTER_NAME}" \
    -d "filter_type=${JWT_FILTER_TYPE}" \
    -d "filter_config"="${JWT_CONFIG}"

Notes

JWT is a community plugin

JWT plugin is a global HttpFilter. It sets configuration on the Listener and is applicable to all GatewayHost when defined.