A re-usable spin component that performs JWT token authorization
| Name | Type | Source | Purpose |
|---|---|---|---|
jwks_uri |
URI | component.config.jwks_uri |
URI pointing to a hosted JWKS file like http://example.com/.well-known/jwks.json |
audiences |
Comma-delimited set | component.config.audiences |
Will reject tokens whose audience is not in this supplied set. |
issuers |
Comma-delimited set | component.config.issuers |
Will reject tokens whose issuer is not in this supplied set. |
max_header_length |
unsigned 64-bit int | component.config.max_header_length |
Maximum unsafe, untrusted, unverified JWT header length to accept. |
max_token_length |
unsigned 64-bit int | component.config.max_token_length |
Maximum token length to accept. |
accept_future |
boolean | component.config.accept_future |
Accept tokens created with a date in the future. |
max_validity_secs |
unsigned 64-bit int | component.config.max_validity_secs |
Reject tokens created more than max_validity_secs seconds ago. |
time_tolerance_secs |
unsigned 64-bit int | component.config.time_tolerance |
How much clock drift to tolerate when verifying token timestamps. |
- Create an Auth0 account
- Select an Auth0 environment
- Create an API (remember URL for audience)
- Go to API page and select the "Machine to Machine Applicatons" tab
- Locally run
cp .envrc.template .envrc - Locally open
.envrcand substitute values for domain, client_id, client_secret and audience from the opened web page - Locally run the test script
./scripts/test-auth0.sh
- Can we use oxide-auth?
- Config parsing
- Should we log when parsing fails or panic?
- Better approach to logging / error response
- Allow request to override some verification options
- Cache the JWKS in key-value
- Implement custom claims
- Design for Verification API
- Design for Issuance API