JWT
JWT
The JWT guard in Zilla provides authentication and access control by verifying JSON Web Tokens (JWTs)
. It ensures the integrity of tokens using public keys
, allowing only authorized subjects with valid roles to access protected resources.
To prevent unauthorized token reuse, the JWT guard enforces constraints on both the issuer
(who issued the token) and the audience
(who the token is intended for). Additionally, each JWT has a set expiration time, with an optional challenge
window that allows protocol bindings to request token renewal before expiration, ensuring uninterrupted access.
Usage Example
If using an Identity Provider that exposes a .well-known/jwks.json
file, simply provide the issuer and audience. The JWKS will be fetched, remotely.
guards:
my_jwt_guard:
type: jwt
options:
issuer: https://auth.example.com
audience: https://api.example.com
Manual configuration is also supported.
guards:
my_jwt_guard:
type: jwt
options:
issuer: https://auth.example.com
audience: https://api.example.com
keys:
- kty: EC
crv: P-256
x: MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4
y: 4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM
use: enc
kid: "1"
- kty: RSA
n: 0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw
e: AQAB
alg: RS256
kid: "2011-04-29"
challenge: 30
Configuration (* required)
options
object
The jwt
specific options.
Property | Type | Description |
---|---|---|
options.issuer | string | Issuer claim. |
options.audience | string | Audience claim. |
options.challenge | integer | Challenge period (seconds). |
options.keys | string , object[] | If not specified, the JWT vault derives the key location from the issuer's .well-known/jwks.json . It can also be set as a URI string or a list of objects with supported key values. |
options.keys.kty | string | Key type, e.g. "RSA" , "EC". |
options.keys.kid | string | Key ID. |
options.keys.n | string | "RSA" modulus. |
options.keys.e | string | "RSA" exponent. |
options.keys.alg | string | "RSA" algorithm, e.g. "RS256". |
options.keys.crv | string | "EC" curve name. |
options.keys.x | string | "EC" point X coordinate. |
options.keys.y | string | "EC" point Y coordinate. |