{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://www.krakend.io/schema/v2.1/auth/validator.json", "title": "JWT validator", "description": "Protect endpoints from public usage by validating JWT tokens generated by any industry-standard OpenID Connect (OIDC) integration.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "object", "oneOf": [ { "required": [ "alg", "jwk_local_path" ] }, { "required": [ "alg", "jwk_url" ] } ], "properties": { "alg": { "$id": "#auth/validator/alg", "title": "Algorithm", "description": "The hashing algorithm used by the token issuer.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": "RS256", "enum": [ "EdDSA", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ] }, "audience": { "$id": "#auth/validator/audience", "title": "Audience", "description": "Reject tokens that do not contain ALL audiences declared in the list.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "audience1" ], "type": "array", "items": { "type": "string" } }, "cache": { "$id": "#auth/validator/cache", "title": "Cache", "description": "Set this value to `true` (recommended) to stop downloading keys on every request and store them in memory for the next `cache_duration` period and avoid hammering the key server, as recommended for performance. Do not use this flag when using `jwk_local_ca`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": false, "type": "boolean" }, "cache_duration": { "$id": "#auth/validator/cache_duration", "title": "Cache duration", "description": "The cache duration when the `cache` is enabled. Value in seconds, defaults to 15 minutes.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": 900, "type": "integer" }, "cipher_suites": { "$id": "#auth/validator/cipher_suites", "title": "Cipher suites", "description": "Override the default cipher suites. Use it if you want to enforce an even higher security standard.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": [ 49199, 49195, 49200, 49196, 52392, 52393 ], "type": "array", "items": { "title": "Object in array", "description": "\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "enum": [ 5, 10, 47, 53, 60, 156, 157, 49159, 49161, 49162, 49169, 49170, 49171, 49172, 49187, 49191, 49199, 49195, 49200, 49196, 52392, 52393 ] } }, "cookie_key": { "$id": "#auth/validator/cookie_key", "title": "Cookie key", "description": "Add the key name of the cookie containing the token when it is not passed in the headers\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "cookie_jwt" ], "type": "string" }, "cypher_key": { "$id": "#auth/validator/cypher_key", "title": "Cypher key", "description": "The cyphering key.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "string" }, "disable_jwk_security": { "$id": "#auth/validator/disable_jwk_security", "title": "Disable_jwk_security", "description": "When true, disables security of the JWK client and allows insecure connections (plain HTTP) to download the keys. Useful for development environments.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": false, "type": "boolean" }, "issuer": { "$id": "#auth/validator/issuer", "title": "Issuer", "description": "When set, tokens not matching the issuer are rejected.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "issuer" ], "type": "string" }, "jwk_fingerprints": { "$id": "#auth/validator/jwk_fingerprints", "title": "Roles", "description": "A list of fingerprints (the certificate's unique identifier) for certificate pinning and avoid man-in-the-middle attacks. Add fingerprints in base64 format.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "array", "items": { "type": "string" } }, "jwk_local_ca": { "$id": "#auth/validator/jwk_local_ca", "title": "Local CA", "description": "Path to the CA's certificate verifying a secure connection when downloading the JWK. Use when not recognized by the system (e.g., self-signed certificates).\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "string" }, "jwk_local_path": { "$id": "#auth/validator/jwk_local_path", "title": "JWK local path", "description": "Local path to the JWK public keys, has preference over `jwk_url`. Instead of pointing to an external URL (with `jwk_url`), public keys are kept locally, in a plain JWK file (security alert!), or encrypted. When encrypted, also add `secret_url` and `cypher_key`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "./jwk.txt" ], "type": "string" }, "jwk_url": { "$id": "#auth/validator/jwk_url", "title": "JWK URL", "description": "The URL to the JWK endpoint with the public keys used to verify the token's authenticity and integrity.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "https://some-domain.auth0.com/.well-known/jwks.json", "http://KEYCLOAK:8080/auth/realms/master/protocol/openid-connect/certs" ], "type": "string" }, "key_identify_strategy": { "$id": "#auth/validator/key_identify_strategy", "title": "Key identify strategy", "description": "Allows strategies other than `kid` to load keys.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "enum": [ "kid", "x5t", "kid_x5t" ] }, "operation_debug": { "$id": "#auth/validator/operation_debug", "title": "Debug", "description": "When `true`, any JWT **validation operation** gets printed in the log with a level `ERROR`. You will see if a client does not have sufficient roles, the allowed claims, scopes, and other useful information.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": false, "type": "boolean" }, "propagate_claims": { "$id": "#auth/validator/propagate_claims", "title": "Claims to propagate", "description": "Enables passing claims in the backend's request header. You can pass nested claims using the dot `.` operator. E.g.: `realm_access.roles`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "array", "items": { "type": "array", "items": { "type": "string" } } }, "roles": { "$id": "#auth/validator/roles", "title": "Roles", "description": " When set, the JWT token not having at least one of the listed roles is rejected.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "array", "items": { "type": "string" } }, "roles_key": { "$id": "#auth/validator/roles_key", "title": "Roles key", "description": "When validating users through roles, provide the key name inside the JWT payload that lists their roles. If this key is nested inside another object, add `roles_key_is_nested` and use the dot notation `.` to traverse each level. E.g.: `resource_access.myclient.roles` represents the payload `{resource_access: { myclient: { roles: [\"myrole\"] } }`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "resource_access.myclient.roles" ], "type": "string" }, "roles_key_is_nested": { "$id": "#auth/validator/roles_key_is_nested", "title": "Roles key is nested", "description": "If the roles key uses a nested object using the `.` dot notation, you must set it to `true` to traverse the object.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "boolean" }, "scopes": { "$id": "#auth/validator/scopes", "title": "Scopes", "description": "A list of scopes to validate. Make sure to use a list `[]` in the config, but when passing the token, the scopes should be separated by spaces, e.g.: `\"my_scopes\": \"resource1:action1 resource3:action7\"`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "array", "items": { "type": "string" } }, "scopes_key": { "$id": "#auth/validator/scopes_key", "title": "Scopes key", "description": "The key name where KrakenD can find the scopes. The key can be a nested object using the `.` dot notation, e.g.: `data.access.my_scopes`.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "type": "string" }, "scopes_matcher": { "$id": "#auth/validator/scopes_matcher", "title": "Scopes matcher", "description": "Defines if the user needs to have in its token at least one of the listed claims (`any`), or `all` of them.\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "default": "any", "enum": [ "any", "all" ] }, "secret_url": { "$id": "#auth/validator/secret_url", "title": "Secret's URL", "description": "An URL with a custom scheme using one of the supported providers (e.g.: `awskms://keyID`) (see providers).\n\nSee: https://www.krakend.io/docs/authorization/jwt-validation/", "examples": [ "base64key://smGbjm71Nxd1Ig5FS0wj9SlbzAIrnolCz9bQQ6uAhl4=", "awskms://keyID", "azurekeyvault://keyID", "gcpkms://projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]", "hashivault://keyID" ], "type": "string", "pattern": "(base64key|awskms|azurekeyvault|gcpkms|hashivault)://(.*)" } }, "patternProperties": { "^[@$_#]": {} }, "additionalProperties": false }