Configure JWT authentication

更新时间:
复制 MD 格式

A JSON Web Token (JWT) is a standard for securely sending information between a client and a server. This information is encoded as a JSON object and can be trusted because it is digitally signed. A JWT can be signed using algorithms like HMAC, or with a public/private key pair like RSA or ECDSA. You can use JWT authentication in a cloud-native gateway to verify identities and control access to your services.

Prerequisites

  • You have a basic understanding of the JWT standard. For more information, see Introduction to JSON Web Tokens.

  • You understand the integration methods that the cloud-native gateway supports: issuing your own token and configuring a public key in the gateway to verify the request signature.

  • Prepare the private key and public key used for generating and validating tokens. The private key is used by your authorization service to sign JWTs. The public key is configured in the cloud-native gateway to verify the signature of a token in a request.

Background information

The cloud-native gateway provides a comprehensive security solution. The JWT authentication feature allows you to authorize access to your APIs based on JSON Web Tokens. This gives you fine-grained control over your security settings.

Token-based authentication

When you expose APIs through a cloud-native gateway, you need a way to identify the requester and verify their permission to access the requested resource. A token is a credential used for this authentication. With token-based authentication, your application does not need to store user authentication or session information on the server. This enables stateless, distributed web applications and simplifies scaling.

Supported integration methods

支持接入的继承方式

Create authentication

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the ID of the gateway.

  4. In the left-side navigation pane, choose Security Management > Global Authentication.

  5. On the Global Authentication page, click Create Authentication in the upper-left corner. Configure the parameters, and then click OK.

    Parameter

    Description

    Authentication Name

    A custom name for the authentication rule.

    Authentication Type

    The type of authentication. JWT is selected by default.

    Issuer

    The principal that issued the JWT, which corresponds to the iss (issuer) claim in the token.

    Sub

    The principal that is the subject of the JWT, which corresponds to the sub (subject) claim in the token.

    JWKS

    The JSON Web Key Set (JWKS) that contains the public key used to verify the JWT signature. The format must be a valid JWKS object. For example:

    {
        "keys":[
             {
            "e":"AQAB",
            "kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
            "kty":"RSA",
            "n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-
    P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2
    He95lZdHtOcU5DXIg_pbhLdKXbi66Gl
    VeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-
    4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSG
    ZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZ
    PYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3D
    RrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"
              }
           ]
    }

    JWT Token

    Configure how the token is extracted from the incoming request.

    • Type: The location of the token in the request. The default value is Header.

    • Key: The name of the header or query parameter that contains the token.

    • Prefix: A string that is prefixed to the token. By default, the gateway expects the token to be in the Authorization header with the Bearer prefix. For example: Authorization: Bearer token.

    • Enable Passthrough: Specifies whether to pass the token to the backend service. If you select this option, the original token header or parameter is forwarded.

    Authorization

    The authorization mode. Both Whitelist and Blacklist modes are supported.

    • Whitelist: Requests to hosts and paths that you specify in the whitelist can bypass authentication. All other requests require authentication.

    • Blacklist: Requests to hosts and paths that you specify in the blacklist require authentication. All other requests can bypass authentication.

    Click + Rule Condition to configure the request domain name and request path.

    • Request Domain Name: The request domain name (host).

    • Request Path: The request path.

View authentication details

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the ID of the gateway.

  4. In the left-side navigation pane, choose Security Management > Global Authentication.

  5. On the Global Authentication page, find the target authentication rule and click Details in the Actions column. The details page shows the rule's Basic Information and Authentication Configuration. You can also manage its Authorization Information.

    The Authentication Configuration section displays fields such as Issuer, Sub, Type (for example, Header), Prefix (for example, Bearer), the Enable Passthrough switch, Key (for example, Authorization), and JWKS. The Authorization Information section allows you to switch the authorization mode and displays a table of existing authorization rules with their Request Domain Name and Request Path.

    In the Authorization Information section, click Add Authorization Information. In the dialog box that appears, enter the Request Domain Name and Request Path to add a new authorization rule.

Verify the result

Return to the Global Authentication page. If the new authentication rule appears in the list, it has been created successfully.

Related operations

You can also perform the following operations to manage your authentication rules:

  • Enable an authentication rule: On the Global Authentication page, find the target rule and click Enable in the Actions column. This activates the rule.

  • Disable an authentication rule: On the Global Authentication page, find the target rule and click Close in the Actions column. This deactivates the rule.

  • Edit an authentication rule: On the Global Authentication page, find the target rule and click Edit in the Actions column to modify its configuration.

  • Delete an authentication rule: On the Global Authentication page, find the target rule and click Delete in the Actions column to permanently remove it.

Note

You must disable an authentication rule before you can delete it.

Related documents

To learn about other authentication mechanisms, see Global Authentication.