JWT
microgateway.airlock.com/v1alpha1
JWT configures client authentication via a JSON Web Token.
apiVersion: microgateway.airlock.com/v1alpha1
kind: JWT
metadata:
name: jwt-example
spec:
extractionSources:
- bearerToken: {}
- cookie:
name: creds
requireAny:
- jwksRef:
name: example-jwks
issuer: https://token.example.com
audiences:
- bookstore_web.apps.example.com
subject:
matcher:
prefix: spiffe://spiffe.example.com/
expirationRequired: true
maxLifetime: 24h
clockSkewTolerance: 10sapiVersion: microgateway.airlock.com/v1alpha1
kind: JWT
metadata:
name: defaultJWT
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of the JWT authentication. | yes |
JWT.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clockSkewTolerance | string | ClockSkewTolerance specifies the maximum allowed clock skew when verifying JWT time constraints (such as exp or nbf). |
no | 60s |
See link |
expirationRequired |
bool | ExpirationRequired specifies whether the exp claim is mandatory. If set to true and the extracted JWT does not contain a valid exp claim, the request will be blocked. |
yes | true, false |
|
| extractionSources | object[] | ExtractionSources defines possible JWT sources. The JWT is extracted from the first source (in list order) that is present in the request. If not specified, the JWT is extracted from the Authorization (Bearer) header. |
no | ||
| maxLifetime | string | MaxLifetime specifies the maximum allowed token lifetime. If set, JWTs with a lifetime ( exp - nbf, or exp - iat if no nbf) greater than this value and JWTs without the necessary claims (exp and nbf or iat) will be considered invalid and the corresponding request will be blocked. |
no | See link | |
| requireAny | object[] | RequireAny defines a list of requirements of which at least one must be satisfied by the extracted JWT. A JWT satisfies a requirement (list entry) if it is verifiable by the entry’s JWKS and matches all additional specified matchers (e.g. issuer, audiences). |
yes |
JWT.spec.extractionSources[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bearerToken | object | BearerToken specifies to extract the bearer token from the Authorization header. | no | ||
| cookie | object | Cookie from which to extract the token. | no | ||
| header | object | Header from which to extract the token. | no | ||
| queryParameter | object | QueryParameter from which to extract the token. | no |
JWT.spec.extractionSources[].cookie
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the cookie. | yes |
JWT.spec.extractionSources[].header
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the header (case-insensitive). | yes |
JWT.spec.extractionSources[].queryParameter
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the parameter. | yes |
JWT.spec.requireAny[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
audiences |
string[] | Audiences specifies the accepted token audiences. If specified, the JWT’s aud claim must contain at least one of these audiences. |
no | ||
issuer |
string | Issuer specifies the accepted issuer. If specified, the JWT’s iss claim must match this value. |
no | ||
| jwksRef | object | JWKSRef selects the JWKS used to verify the token signature. | yes | ||
| subject | object | Subject matches the accepted token subjects. If specified, the JWT’s sub claim must match. |
no |
JWT.spec.requireAny[].jwksRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
JWT.spec.requireAny[].subject
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
JWT.spec.requireAny[].subject.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |