jwt_keys.adoc 1.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
  1. [#jwt-keys]
  2. = JWT with Keys
  3. include::partial$earlydoc.adoc[]
  4. == Using Public Keys via JWKS
  5. OliveTin Supports **JSON Web Key Sets (JWKS)**. This approach is often used with services like CloudFlare.
  6. [source,yaml]
  7. .`config.yaml`
  8. ----
  9. authJwtAud: "asdf1234"
  10. authJwtCertsURL: "https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs"
  11. authJwtClaimUsername: email
  12. authJwtCookieName: "CF_Authorization"
  13. ----
  14. You may well want to set `logLevel: DEBUG` and `insecureAllowDumpJwtClaims: true` in your config when testing JWT for the first time.
  15. == Using with Teleport/Headers
  16. If you are using Teleport, you can use the `authJwtCertsURL` to point to the Teleport JWKS.
  17. Teleport can only https://goteleport.com/docs/enroll-resources/application-access/jwt/introduction/#inject-jwt[inject the JWT into a header], so you will need to set `authJwtHeader` to the header name that you have configured Teleport to use, e.g., `Authorization`.
  18. [source,yaml]
  19. .`config.yaml`
  20. ----
  21. authJwtCertsURL: "https://teleport.mydomain/.well-known/jwks.json"
  22. authJwtHeader: Authorization
  23. ----
  24. Replace teleport.mydomain with the domain of your Teleport instance.
  25. == Using Public Keys on Disk
  26. This approach can be useful if your Authentication service does not support JWKS, or if you don't want to use it. Public Keys should be available on disk in a file - which can have any filename or extension you like. The files need to be RSA keys in PEM format to be used by OliveTin, though. P12 is not supported.
  27. [source,yaml]
  28. .`config.yaml`
  29. ----
  30. authJwtAud: "asdf1234"
  31. authJwtPubKeyPath: "/opt/mykey.crt"
  32. authJwtClaimUsername: email
  33. authJwtCookieName: "CF_Authorization"
  34. ----
  35. == See Also
  36. * xref:solutions/cloudflare_access_tunnel/index.adoc[Cloudflare Access & Tunnels Solution]