JWT Filter

The JWT filter type performs JWT validation on a bearer token present in the HTTP header. If the bearer token JWT doesn't validate, or has insufficient scope, an RFC 6750-complaint error response with a WWW-Authenticate header is returned. The list of acceptable signing keys is loaded from a JWK Set that is loaded over HTTP, as specified in jwksURI. Only RSA and none algorithms are supported.

JWT global arguments

• insecureTLS disables TLS verification for the cases when jwksURI begins with https://. This is discouraged in favor of either using plain http:// or installing a self-signed certificate.

• renegotiateTLS allows a remote server to request TLS renegotiation. Accepted values are "never", "onceAsClient", and "freelyAsClient".

• leewayForExpiresAt allows tokens expired by this much to be used; to account for clock skew and network latency between the HTTP client and the Ambassador Edge Stack.

• leewayForNotBefore allows tokens that shouldn't be used until this much in the future to be used; to account for clock skew between the HTTP client and the Ambassador Edge Stack.

• leewayForIssuedAt allows tokens issued this much in the future to be used; to account for clock skew between the HTTP client and the Ambassador Edge Stack.

• maxStale How long to keep stale cached OIDC replies for. This sets the max-stale Cache-Control directive on requests, and also ignores the no-store and no-cache Cache-Control directives on responses. This is useful for maintaining good performance when working with identity providers with misconfigured Cache-Control. Note that if you are reusing the same authorizationURL and jwksURI across different OAuth and JWT filters respectively, then you MUST set maxStale as a consistent value on each filter to get predictable caching behavior.

• injectRequestHeaders injects HTTP header fields in to the request before sending it to the upstream service; where the header value can be set based on the JWT value. The value is specified as a Go text/template string, with the following data made available to it:

  • .token.Raw → string the raw JWT
  • .token.Header → map[string]interface{} the JWT header, as parsed JSON
  • .token.Claims → map[string]interface{} the JWT claims, as parsed JSON
  • .token.Signature → string the token signature
  • .httpRequestHeader → http.Header a copy of the header of the incoming HTTP request. Any changes to .httpRequestHeader (such as by using using .httpRequestHeader.Set) have no effect. It is recommended to use .httpRequestHeader.Get instead of treating it as a map, in order to handle capitalization correctly.

  Also available to the template are the standard functions available to Go text/templates, as well as:

  • a hasKey function that takes the a string-indexed map as arg1, and returns whether it contains the key arg2. (This is the same as the Sprig function of the same name.)

  • a doNotSet function that causes the result of the template to be discarded, and the header field to not be adjusted. This is useful for only conditionally setting a header field; rather than setting it to an empty string or "<no value>". Note that this does not unset an existing header field of the same name; in order to prevent the untrusted client from being able to spoof these headers, use a Lua script to remove the client-supplied value before the Filter runs. See below for an example. Not sanitizing the headers first is a potential security vulnerability.

  Any headers listed will override (not append to) the original request header with that name.

• errorResponse allows templating the error response, overriding the default json error format. Make sure you validate and test your template, not to generate server-side errors on top of client errors.

  • contentType is deprecated, and is equivalent to including a name: "Content-Type" item in headers.

  • realm allows specifying the realm to report in the WWW-Authenticate response header.

  • headers sets extra HTTP header fields in the error response. The value is specified as a Go text/template string, with the same data made available to it as bodyTemplate (below). It does not have access to the json function.

  • bodyTemplate specifies body of the error; specified as a Go text/template string, with the following data made available to it:

    • .status_code → integer the HTTP status code to be returned
    • .httpStatus → integer an alias for .status_code (hidden from {{ . | json "" }})
    • .message → string the error message string
    • .error → error the raw Go error object that generated .message (hidden from {{ . | json "" }})
    • .error.ValidationError → jwt.ValidationError the JWT validation error, will be nil if the error is not purely JWT validation (insufficient scope, malformed or missing Authorization header)
    • .request_id → string the Envoy request ID, for correlation (hidden from {{ . | json "" }} unless .status_code is in the 5XX range)
    • .requestId → string an alias for .request_id (hidden from {{ . | json "" }})

    Also availabe to the template are the standard functions available to Go text/templates, as well as:

    • a json function that formats arg2 as JSON, using the arg1 string as the starting indentation. For example, the template {{ json "indent>" "value" }} would yield the string indent>"value".

"duration" strings are parsed as a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". See Go time.ParseDuration.

JWT path-specific arguments

scope is a list of OAuth scope values that Edge Stack will require to be listed in the scope claim. In addition to the normal values of the scope claim (a JSON string containing a space-separated list of values), the JWT Filter also accepts a JSON array of values.

Example configuration