JWTRule

    JWTRule

    JSON Web Token (JWT) token format for authentication as defined by . See OAuth 2.0 and for how this is used in the whole authentication flow.

    Examples:

    Spec for a JWT that is issued by https://example.com, with the audience claims must be either bookstore_android.apps.example.com or bookstore_web.apps.example.com. The token should be presented at the Authorization header (default). The Json web key set (JWKS) will be discovered followwing OpenID Connect protocol.

    This example specifies token in non-default location (x-goog-iap-jwt-assertion header). It also defines the URI to fetch JWKS explicitly.

    FieldTypeDescriptionRequired
    issuer

    Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

    Yes
    audiencesstring[]

    The list of JWT . that are allowed to access. A JWT containing any of these audiences will be accepted.

    The service name will be accepted if audiences is empty.

    Example:

    No
    jwksUristring

    URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

    Optional if the key set document can either (a) be retrieved from of the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account).

    Note: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.

    No
    jwksstring

    JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.

    Note: Only one of jwksuri and jwks should be used. jwksuri will be ignored if it does.

    No
    fromHeaders

    List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:

    No
    fromParamsstring[]

    List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter my_token (e.g /path?my_token=), the config is:

    No
    outputPayloadToHeaderstring

    This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

    No
    forwardOriginalTokenboolNo