#JWT Auth Policy
The Open ID JWT Authentication policy allows you to authenticate incoming requests using an Open ID-compliant bearer token. It works with common authentication services like Auth0 (sample here) but should also work with any valid Open ID JWT token.
When configured, you can have Zuplo check incoming requests for a JWT token and
automatically populate the ZuploRequest
's user
property with a user object.
This user
object will have a sub
property - taking the sub
id from the JWT
token. It will also have a data
property populated by other data returned in
the JWT token (including any claims).
See this document for more information about OAuth authorization in Zuplo.
#Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
{ "name": "my-open-id-jwt-auth-inbound-policy", "policyType": "open-id-jwt-auth-inbound", "handler": { "export": "OpenIdJwtInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "audience": "$env(AUTH_AUDIENCE)", "issuer": "$env(AUTH_ISSUER)", "jwkUrl": "https://zuplo-demo.us.auth0.com/.well-known/jwks.json" } } }json
#Policy Configuration
name
<string>
- The name of your policy instance. This is used as a reference in your routes.policyType
<string>
- The identifier of the policy. This is used by the Zuplo UI. Value should beopen-id-jwt-auth-inbound
.handler.export
<string>
- The name of the exported type. Value should beOpenIdJwtInboundPolicy
.handler.module
<string>
- The module containing the policy. Value should be$import(@zuplo/runtime)
.handler.options
<object>
- The options for this policy. See Policy Options below.
#Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
authHeader
<string>
- The name of the header with the key. Defaults to"Authorization"
.issuer
<string>
- The expected issuer claim in the JWT token.audience
<string>
- The expected audience claim in the JWT token.jwkUrl
<string>
- the url of the JSON Web Key Set (JWKS) - this is used to validate the JWT token signature (either this orsecret
must be set).secret
<string>
- The key used to verify the signature of the JWT token (either this orjwkUrl
must be set).allowUnauthenticatedRequests
<boolean>
- indicates whether the request should continue if authentication fails. Defaults isfalse
which means unauthenticated users will automatically receive a 401 response. Defaults tofalse
.subPropertyName
<string>
- The name of the property in the JWT token that contains the user's unique identifier.headers
<object>
- Additional headers to send with the JWK request.
#Using the Policy
Note that sometimes the issuer
and audience
will vary between your
environments (e.g. dev, staging and prod). We recommend storing these values in
your environment variables and using $env(VARIABLE_NAME)
to include them in
your policy configuration.
Note you can have multiple instances of the same policy with different name
s
if you want to have slightly different rules (such as settings for the
allowUnauthenticatedRequests
setting.
{ "path": "/products/:123", "methods": ["POST"], "handler": { "module": "$import(./modules/products)", "export": "postProducts" }, "corsPolicy": "None", "version": "none", "policies": { "inbound": ["your-jwt-policy-name"] } }json
#Using the user property in code
For an example of using the user object in a RequestHandler, see Setting up JWT auth with Auth0.
Read more about how policies work