Validate JWTs from Multiple Issuers in kgateway
The article explains how kgateway enables validation of JSON Web Tokens (JWTs) from multiple identity providers within a Kubernetes environment. It outlines the structure and verification process of JWTs, emphasizing support for multiple issuers like Auth0 and Google. The guide demonstrates configuring a single policy to validate tokens, enforce audience restrictions, and forward user claims to upstream services.
- ▪kgateway's JWTPolicy resource allows multiple JWT issuers to be defined in one policy.
- ▪Each identity provider has a unique JWKS endpoint for public key distribution used in signature verification.
- ▪The solution validates tokens locally in the Envoy data plane without calling back the identity provider on each request.
- ▪Tokens are verified based on the 'iss' (issuer) claim to match the correct public key set.
- ▪Custom claims like 'sub' and 'email' can be forwarded as headers to upstream services.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3618182) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Emmanuel Chukwudi Posted on May 17 Validate JWTs from Multiple Issuers in kgateway #kgateway #jwt #kubernetes #security Production APIs often need to accept tokens from more than one identity provider for example, a tenant's own Auth0 tenant and Google Workspace for internal tools. kgateway's JWTPolicy resource lets you declare multiple issuers in one policy and attach it to any HTTPRoute, so you don't need a separate gateway per IdP.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
