Skip to content

Token Validation

Jump to bottom
Anker Tsaur edited this page Sep 3, 2021 · 1 revision

Overview

Issuer Setup

One time setup to configure supported token issuers
  1. Configure global settings for supported token issuers as in following sample configuration
# values.yaml with global settings
global:
  titanSideCars:
    issuers:
    - issuer: https://demo.com
      jwks: https://demo.com/oauth2/keys
      cluster: demo

The above configuration can be over-written on a per service basis.
If issuers array has more than one entry, token will be considered valid if it matches any configured issuer.

Config Reference

Click to expand!

Issuer

# titanSideCars.issuers[].
  issuer:   string
  jwks:     string
  cluster:  string

issuer

(string, required) Token issuer name

jwks

(string, required) Uri to fetch public key JWKS to verify the token signature

cluster

(string, required) Name of cluster to use to fetch the JWKS. The specified cluster should already be configured under titanSideCars.envoy.clusters cluster map

TokenCheck

# titanSideCars.
  ingress:
    tokenCheck:     bool
    routes:
    - match:        RouteMatch
      tokenCheck:   bool

ingress.tokenCheck

(bool, default false) Controls token validation.
If set to true, token validation is performed on all incoming requests. Token validation can be skipped on a per route basis.
If set to false, token validation is skipped by default unless enabled for specific requests on a per route basis.

routes[].match

(RouteMatch, required)

routes[].tokenCheck

(bool, optional) Controls enablement of token validation for matching requests. This flag works in conjunction with titanSideCars.ingress.tokenCheck flag.
If ingress level flag is set to true then setting this to false with disable token validation for matching requests.
If ingress level flag is set to false then setting this to true with enable token validation for matching requests.

Examples

Example 1

Enable by default and disable for specific routes

titanSideCars:
  ingress:
    tokenCheck: true
    routes:
    - match:
        prefix: /myapp/status
      tokenCheck: false

Above will skip token validation for requests starting with /myapp/status

Example 2

Disable by default and enable for specific routes

titanSideCars:
  ingress:
    tokenCheck: false
    routes:
    - match:
        prefix: /myapp/objects
      tokenCheck: true

Above will enforce token validation for requests starting with /myapp/objects

Table of Contents

Service Declaration
Setup Service Mesh and global setting usage
Routing
Egress Routing (TODO)
Token Validation
Authorization (TODO)
Gateway only mode
CircuitBreakers
Global Ratelimiting
API Metrics
Enrichment, RBAC and Aduiting
Custom filter

Clone this wiki locally