Skip to main content

JWT Validation

Overview

The JWT Validation action allows you to configure ngrok to validate JSON Web Tokens (JWT) at our cloud edge before routing the traffic to your origin service. You will need to tell ngrok where to find the token, as well as the claims and algorithms used to verify it's authenticity. When configuring this action in a locally running agent, it is pushed to our global network which secures traffic before it hits your network.

The request is allowed only if it has been correctly signed by the issuer and the defined claims match.

We have created guides for configuring this action with the following providers:

A useful tool for working with JWTs is provided at jwt.io.

Example

Use this action config in your Traffic Policy

# snippet
---
actions:
- type: "jwt-validation"
config:
issuer:
allow_list:
- value: "https://example.com/issuer"
audience:
allow_list:
- value: "urn:example:api"
http:
tokens:
- type: "access_token"
method: "header"
name: "Authorization"
prefix: "Bearer "
- type: "it+jwt"
method: "body"
name: "_id_token"
jws:
allowed_algorithms:
- "RS256"
- "ES256"
keys:
sources:
additional_jkus:
- "https://example.com/issuer/jku"

Behavior

Multiple Issuers

You may specify multiple issuers to be used for JWT validation. A request is considered validated if it presents a JWT signed by any of the specified issuers. The issuer must match the one provided in the JWT exactly, including the trailing slash (/) if present in the token's iss claim.

Multiple Audience Claims

You may specify multiple audience claims to be used for JWT validation. JWT validation will require at least one of the audience claims to be present within the JWT. This is also an exact match.

Multiple Signing Keys

You have the ability to provide multiple JSON Web Key Set (JWKS) urls and signing algorithms. During JWT validation the list of JWKS and algorithms provided will be used in an attempt to validate the JWT. This list will be tried in order and is cached for performance. The cache is refreshed roughly every 15 minutes.

Multiple Tokens

If multiple tokens are defined within the HTTP configuration parameter, all tokens must be present in the request. If all tokens are not present a 401 status code will be returned.

Reference

Supported Directions

  • Inbound

Configuration

Type
jwt-validation
ParameterTypeDescription
issuerJWTIssuerConfigconfiguration about the Issuer(s) of the JWTs.
audienceJWTAudienceConfigconfiguration about the Audience(s) of the JWTs.
httpJWTHTTPConfigconfiguration about the HTTP requests containing JWTs.
jwsJWTSigningConfigconfiguration about signed JWTs (JWS).

JWTIssuerConfig Parameters

ParameterTypeDescription
allow_listJWTIssuerthe list of allowed issuers.

JWTIssuer Parameters

ParameterTypeDescription
valuestringthe URL of the issuer. This can be found in the iss claim after decoding the JWT or from the /.well-known/openid-configuration endpoint in your Identity Provider.

JWTAudienceConfig Parameters

ParameterTypeDescription
allow_listJWTAudiencethe list of allowed audiences.

JWTAudience Parameters

ParameterTypeDescription
valuestringthe value of the audience claim. This can be found in the aud claim after decoding the JWT or from the request used to create the token in the first place.

JWTHTTPConfig Parameters

ParameterTypeDescription
tokensJWTHTTPTokenthe list of tokens to validate.

JWTHTTPToken Parameters

ParameterTypeDescription
typestringthe type of the JWT, which acts as a hint to ngrok about how ngrok should parse the token. Must be one of "access_token", "at+jwt", "id_token", "it+jwt", "plain", or "jwt".
methodstringthe location in the request to expect the JWT. Must be one of "header" or "body". We do not support including a token as a URL query parameter. When choosing body, the method must be POST, PUT, or PATCH and the content type header must be set to either application/json or application/x-www-form-urlencoded.
namestringthe name of the header or body field where the JWT is expected (Example: "Authorization"). This is not case sensitive.
prefixstringAny prefix to strip from the header or body field before parsing the JWT (Example: "Bearer ").

JWTSigningConfig Parameters

ParameterTypeDescription
allowed_algorithmsList<string>the list of allowed signing algorithms. We do not support none as a value here because it is insecure.
keysJWTSigningKeysthe configuration for the JWT signing keys.

JWTSigningKeys Parameters

ParameterTypeDescription
sourcesJWTSigningKeySourcesthe configuration for the key material used to verify the signed JWTs.

JWTSigningKeySources Parameters

ParameterTypeDescription
additional_jkusList<string>a list of URLs which serve the possible signing keys in JWKS format. These urls are cached and refreshed roughly every 15 minutes.