JWT Authentication
This guide shows how to enforce client authentication with JSON Web Tokens (JWTs) in Airlock Microgateway. Microgateway retrieves a JWT from the request, validates it using the configured JWKS and JWT settings, and then applies access control rules (optionally including claim checks).
JWT authentication is configured by connecting these resources:
JWKS: provides the public keys used to verify the JWT signature (either from a local Secret or a remote JWKS endpoint).JWT: defines where the token is extracted from and what makes a token acceptable (JWKS, issuer, audiences, subject, lifetime constraints).AccessControlPolicy: attaches to anHTTPRoute, enforces JWT authentication viaauthentication.jwt.jwtRef, and optionally authorizes requests based on JWT claims.
Prerequisites
- A Gateway Deployment.
- An
HTTPRouterouting traffic to your application/API (JWT authentication is attached viaAccessControlPolicy.spec.targetRefs[].HTTPRoute). - A JWT issuer that provides tokens and exposes signing keys (e.g., via a JWKS endpoint), or signing keys available as a local JWKS file.
Configuration
Create a JWKS resource
Create a JWKS CR that provides the keys used to verify JWT signatures. You can source JWKS either:
- from a local Secret (key
jwks.json), or - from a remote endpoint (
spec.provider.remote.uri) with optional TLS verification settings and timeouts. - Risk
Disabling certificate verification for a remote JWKS endpoint is insecure.
- In production, always use certificate verification; disable it only for testing.
Example with remote JWKS endpoint:
Create a JWT resource
Create a JWT CR. It defines:
- Extraction sources (
spec.extractionSources): - This configures the locations Microgateway uses to retrieve the JWT, which is extracted from the first source (in list order) that is present. If
extractionSourcesis not specified, Microgateway extracts the JWT from theAuthorization: Bearer ... header.
- This configures the locations Microgateway uses to retrieve the JWT, which is extracted from the first source (in list order) that is present. If
- Acceptance requirements (
spec.requireAny) - At least one requirement entry must be satisfied. A JWT satisfies an entry if it can be verified by the entry’s JWKS and matches the configured constraints (e.g., issuer and audiences).
- At least one requirement entry must be satisfied. A JWT satisfies an entry if it is verifiable by the entry’s
jwksRefand matches all additional specified matchers (e.g.,issuer,audiences, andsubject).
- Time constraints:
expirationRequiredcontrols whether theexpclaim is mandatory. IfexpirationRequiredistrueandexpis missing or invalid, JWT validation fails.maxLifetimelimits the JWT lifetime (exp/nbforexp-iat). JWTs that are missing the required claims become invalid.clockSkewToleranceallows limited clock skew when validatingexpandnbf.
Example:
Create an AccessControlPolicy resource to enforce JWT authentication
Attach an AccessControlPolicy to your HTTPRoute and configure the following settings:
authentication.jwt.jwtRef.nameto select theJWTconfiguration to apply.- Optional claim-based authorization under
authorization.requireAll/authorization.requireAnyusingjwt.claim matchers.
Note that claim value matching is only supported for primitive types (or arrays of primitives). Unsupported claim types (e.g., objects) never match.
Example
Validation
- Send a request without a JWT to a protected path (e.g.,
/api/...). - Expected result:
The request is rejected according to your policy configuration.
- Expected result:
- Send a request with a JWT that satisfies the configured requirements (JWKS verification plus issuer/audience/subject match and time constraints).
- Expected result:
The request passes authentication, and (if configured) claim-based authorization grants access.
- Expected result:
Troubleshooting
If the provided JWKS is invalid (e.g., due to syntax errors), the following will occur:
- Microgateway Engine logs an error in the application log.
- JWT validation fails.
- Requests are blocked.