JWT
microgateway.airlock.com/v1alpha1
JWT defines client authentication via a JSON Web Token.
apiVersion: microgateway.airlock.com/v1alpha1
kind: JWT
metadata:
name: jwt-example
spec:
extractionSources:
- bearerToken: {}
- cookie:
name: creds
requireAny:
- jwksRef:
name: example-jwks
issuer: https://token.example.com
audiences:
- bookstore_web.apps.example.com
subject:
matcher:
prefix: spiffe://spiffe.example.com/
expirationRequired: true
maxLifetime: 24h
clockSkewTolerance: 10sJWT
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired JWT authentication configuration. | object | yes |
JWT.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clockSkewTolerance | specifies the maximum allowed clock skew when verifying JWT time constraints (such as exp or nbf). |
string | no | 60s |
See link |
| expirationRequired | specifies whether the exp claim is mandatory. If set to true and the extracted JWT does not contain a valid exp claim, the request will be blocked. |
bool | yes | true, false |
|
| extractionSources | defines possible JWT sources. The JWT is extracted from the first source (in list order) that is present in the request. If not specified, the JWT is extracted from the Authorization (Bearer) header. |
object[] | no | ||
| maxLifetime | specifies the maximum allowed token lifetime. If set, JWTs with a lifetime ( exp - nbf, or exp - iat if no nbf) greater than this value and JWTs without the necessary claims (exp and nbf or iat) will be considered invalid and the corresponding request will be blocked. |
string | no | See link | |
| requireAny | defines a list of requirements of which at least one must be satisfied by the extracted JWT. A JWT satisfies a requirement (list entry) if it is verifiable by the entry’s JWKS and matches all additional specified matchers (e.g. issuer, audiences). |
object[] | yes |
JWT.spec.extractionSources[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bearerToken | specifies to extract the bearer token from the Authorization header. | object | no | {} |
|
| cookie | from which to extract the token. | object | no | ||
| header | from which to extract the token. | object | no | ||
| queryParameter | from which to extract the token. | object | no |
JWT.spec.extractionSources[].cookie
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the cookie. | string | yes |
JWT.spec.extractionSources[].header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the header (case-insensitive). | string | yes |
JWT.spec.extractionSources[].queryParameter
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the parameter. | string | yes |
JWT.spec.requireAny[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| audiences | specifies the accepted token audiences. If specified, the JWT’s aud claim must contain at least one of these audiences. |
string[] | no | ||
| issuer | specifies the accepted issuer. If specified, the JWT’s iss claim must match this value. |
string | no | ||
| jwksRef | selects the JWKS used to verify the token signature. | object | yes | ||
| subject | matches the accepted token subjects. If specified, the JWT’s sub claim must match. |
object | no |
JWT.spec.requireAny[].jwksRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
JWT.spec.requireAny[].subject
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
JWT.spec.requireAny[].subject.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |