JWT Auth Policy
The Open ID JWT Authentication policy allows you to authenticate incoming requests using an Open ID-compliant bearer token. It works with common authentication services like Auth0 (sample here) but should also work with any valid Open ID JWT token.
When configured, you can have Zuplo check incoming requests for a JWT token and
automatically populate the ZuploRequest 's user property with a user object.
This user object will have a sub property - taking the sub id from the JWT
token. It will also have a data property populated by other data returned in
the JWT token (including any claims).
See this document for more information about OAuth authorization in Zuplo.
Configuration
{
"name": "my-open-id-jwt-auth-inbound-policy",
"policyType": "open-id-jwt-auth-inbound",
"handler": {
"export": "OpenIdJwtInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"allowUnauthenticatedRequests": false,
"audience": "$env(AUTH_AUDIENCE)",
"issuer": "$env(AUTH_ISSUER)",
"jwkUrl": "$env(JWK_URL)"
}
}
}
Note that sometimes the issuer and audience will vary between your
environments (e.g. dev, staging and prod). We recommend storing these values in
your environment variables and using $env(VARIABLE_NAME) to include them in
your policy configuration.
Note you can have multiple instances of the same policy with different names
if you want to have slightly different rules (such as settings for the
allowUnauthenticatedRequests setting.
{
"path": "/products/:123",
"methods": ["POST"],
"handler": {
"module": "$import(./modules/products)",
"export": "postProducts"
},
"corsPolicy": "None",
"version": "none",
"policies": {
"inbound": ["your-jwt-policy-name"]
}
}
Using the user property in code
For an example of using the user object in a RequestHandler, see Setting up JWT auth with Auth0.
Read more about how policies work