| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- [#jwt-keys]
- = JWT with Keys
- include::partial$earlydoc.adoc[]
- == Using Public Keys via JWKS
- OliveTin Supports **JSON Web Key Sets (JWKS)**. This approach is often used with services like CloudFlare.
- [source,yaml]
- .`config.yaml`
- ----
- authJwtAud: "asdf1234"
- authJwtCertsURL: "https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs"
- authJwtClaimUsername: email
- authJwtCookieName: "CF_Authorization"
- ----
- You may well want to set `logLevel: DEBUG` and `insecureAllowDumpJwtClaims: true` in your config when testing JWT for the first time.
- == Using with Teleport/Headers
- If you are using Teleport, you can use the `authJwtCertsURL` to point to the Teleport JWKS.
- Teleport can only https://goteleport.com/docs/enroll-resources/application-access/jwt/introduction/#inject-jwt[inject the JWT into a header], so you will need to set `authJwtHeader` to the header name that you have configured Teleport to use, e.g., `Authorization`.
- [source,yaml]
- .`config.yaml`
- ----
- authJwtCertsURL: "https://teleport.mydomain/.well-known/jwks.json"
- authJwtHeader: Authorization
- ----
- Replace teleport.mydomain with the domain of your Teleport instance.
- == Using Public Keys on Disk
- This approach can be useful if your Authentication service does not support JWKS, or if you don't want to use it. Public Keys should be available on disk in a file - which can have any filename or extension you like. The files need to be RSA keys in PEM format to be used by OliveTin, though. P12 is not supported.
- [source,yaml]
- .`config.yaml`
- ----
- authJwtAud: "asdf1234"
- authJwtPubKeyPath: "/opt/mykey.crt"
- authJwtClaimUsername: email
- authJwtCookieName: "CF_Authorization"
- ----
- == See Also
- * xref:solutions/cloudflare_access_tunnel/index.adoc[Cloudflare Access & Tunnels Solution]
|