JWT verifiers
Sometimes, it can be pretty useful to verify Jwt tokens coming from other provider on some services. Otoroshi provides a tool to do that per service.
Name: name of the JWT verifierDescription: a simple descriptionStrict: if not strict, request without JWT token will be allowed to pass. This option is helpful when you want to force the presence of tokens in each request on a specific serviceTags: list of tags associated to the moduleMetadata: list of metadata associated to the module
Each JWT verifier is configurable in three steps : the location where find the token in incoming requests, the validation step to check the signature and the presence of claims in tokens, and the last step, named Strategy.
Token location
An incoming token can be found in three places.
In query string
Source: JWT token location in query stringQuery param name: the name of the query param where JWT is located
In a header
Source: JWT token location in a headerHeader name: the name of the header where JWT is locatedRemove value: when the token is read, this value will be remove of header value (example: if the header value is Bearer xxxx, the remove value could be Bearer don’t forget the space at the end of the string)
In a cookie
Source: JWT token location in a cookieCookie name: the name of the cookie where JWT is located
Token validation
This section is used to verify the extracted token from specified location.
Algo.: What kind of algorithm you want to use to verify/sign your JWT token with
According to the selected algorithm, the validation form will change.
Hmac + SHA
SHA Size: Word size for the SHA-2 hash function usedHmac secret: used to verify the tokenBase64 encoded secret: if enabled, the extracted token will be base64 decoded before it is verifier
RSASSA-PKCS1 + SHA
SHA Size: Word size for the SHA-2 hash function usedPublic key: the RSA public keyPrivate key: the RSA private key that can be empty if not used for JWT token signing
ECDSA + SHA
SHA Size: Word size for the SHA-2 hash function usedPublic key: the ECDSA public keyPrivate key: the ECDSA private key that can be empty if not used for JWT token signing
RSASSA-PKCS1 + SHA from KeyPair
SHA Size: Word size for the SHA-2 hash function usedKeyPair: used to sign/verify token. The displayed list represents the key pair registered in the Certificates page
ECDSA + SHA from KeyPair
SHA Size: Word size for the SHA-2 hash function usedKeyPair: used to sign/verify token. The displayed list represents the key pair registered in the Certificates page
Otoroshi KeyPair from token kid (only for verification)
Use only exposed keypairs: if enabled, Otoroshi will only use the key pairs that are exposed on the well-known. If disabled, it will search on any registered key pairs.
JWK Set (only for verification)
URL: the JWK set URL where the public keys are exposedHTTP call timeout: timeout for fetching the keysetTTL: cache TTL for the keysetHTTP Headers: the HTTP headers passedKey type: type of the key searched in the jwks
TLS settings for JWKS fetching
Custom TLS Settings: TLS settings for JWKS fetchingTLS loose: if enabled, will block all untrustful ssl configsTrust all: allows any server certificates even the self-signed onesClient certificates: list of client certificates used to communicate with JWKS serverTrusted certificates: list of trusted certificates received from JWKS server
Proxy
Proxy host: host of proxy behind the identify providerProxy port: port of proxy behind the identify providerProxy principal: user of proxyProxy password: password of proxy
Strategy
The first step is to select the verifier strategy. Otoroshi supports 4 types of JWT verifiers:
Default JWT tokenwill add a token if no present.Verify JWT tokenwill only verifiy token signing and fields values if provided.Verify and re-sign JWT tokenwill verify the token and will re-sign the JWT token with the provided algo. settings.Verify, re-sign and transform JWT tokenwill verify the token, re-sign and will be able to transform the token.
All verifiers has the following properties:
Verify token fields: when the JWT token is checked, each field specified here will be verified with the provided valueVerify token array value: when the JWT token is checked, each field specified here will be verified if the provided value is contained in the array
Default JWT token
Strict: if token is already present, the call will failDefault value: list of claims of the generated token. These fields support raw values or language expressions. See the documentation about the expression language
Verify JWT token
No specific values needed. This kind of verifier needs only the two fields Verify token fields and Verify token array value.
Verify and re-sign JWT token
When Verify and re-sign JWT token is chosen, the Re-sign settings appear. All fields of Re-sign settings are the same of the Token validation section. The only difference is that the values are used to sign the new token and not to validate the token.
Verify, re-sign and transform JWT token
When Verify, re-sign and transform JWT token is chosen, the Re-sign settings and Transformation settings appear.
The Re-sign settings are used to sign the new token and has the same fields than the Token validation section.
For the Transformation settings section, the fields are:
Token location: the location where to find/set the JWT tokenHeader name: the name of the header where JWT is locatedPrepend value: remove a value inside the header valueRename token fields: when the JWT token is transformed, it is possible to change a field name, just specify origin field name and target field nameSet token fields: when the JWT token is transformed, it is possible to add new field with static values, just specify field name and valueRemove token fields: when the JWT token is transformed, it is possible to remove fields