JWT Validation Action for Auth0
Overview
The JWT Validation action can be configured to validate tokens issued from Auth0.
Example Traffic Policy
This is an example Traffic Policy configuration for setting up a new API and Machine to Machine application in Auth0.
- YAML
- JSON
---
on_http_request:
- actions:
- type: jwt-validation
config:
issuer:
allow_list:
- value: https://dev-tenant-id.us.auth0.com/
audience:
allow_list:
- value: https://dev-tenant-id.us.auth0.com/api/v2/
http:
tokens:
- type: jwt
method: header
name: Authorization
prefix: "Bearer "
jws:
allowed_algorithms:
- RS256
keys:
sources:
additional_jkus:
- https://dev-tenant-id.us.auth0.com/.well-known/jwks.json
{
"on_http_request": [
{
"actions": [
{
"type": "jwt-validation",
"config": {
"issuer": {
"allow_list": [
{
"value": "https://dev-tenant-id.us.auth0.com/"
}
]
},
"audience": {
"allow_list": [
{
"value": "https://dev-tenant-id.us.auth0.com/api/v2/"
}
]
},
"http": {
"tokens": [
{
"type": "jwt",
"method": "header",
"name": "Authorization",
"prefix": "Bearer "
}
]
},
"jws": {
"allowed_algorithms": [
"RS256"
],
"keys": {
"sources": {
"additional_jkus": [
"https://dev-tenant-id.us.auth0.com/.well-known/jwks.json"
]
}
}
}
}
}
]
}
]
}
Step 1 — Define your API in Auth0
You will need to create an API in Auth0. If you've already done this, skip to the next section. Once logged into your Auth0 Tenant Dashboard:
- Select
Applications > APIs
- Then, click
+ Create API
Name your API whatever you'd like, and choose an identifier and signing algorithm. These values will be used later as the audience and algorithm claims.
Once your API is created, you can define and add scopes needed in the
Permissions
tab. These values will be populated in the scope
claim of your
JWT.
Step 2 — Accessing your JWT
Upon creating your new API, Auth0 will create an associated application under
Applications > APIs
in the left navigation bar.
Navigate to your application, and click on the Test
tab. Here, you will
find a signed, fully functional JWT, as well as examples of how to programmatically
generate one.
Step 3 — Creating a Machine to Machine application
When you create your API in Auth0, it will automatically create a new Machine to
Machine Application and authorize it to use your new API. If you added
additional scopes for your API, you will need to manually add them to the new
application in the Machine to Machine Applications
tab of your new API.
If it did not create one automatically, you can create a new Machine to Machine app and select your new API when prompted.
Step 4 — Configuring the ngrok JWT Validation action
You now have everything you need to configure the JWT Validation action inside of ngrok.
In your ngrok Dashboard, select
Cloud Edge > Edges
and create a new HTTP Edge.
If you already have a domain in your account, you can select it here, otherwise, a new domain will be created for you.
Once your Edge is created, select Traffic Policy
from the sidebar and click
Begin Setup
.
Edit the Traffic Policy, and copy the JSON example from above directly into the
ngrok Dashboard. For many of these values, it is easiest to take the example
token from the Quickstart
tab of your Auth0 Application and decode it using
jwt.io. Customize the values as follows:
Field | Claim | Description |
---|---|---|
issuer.allow_list.value | iss | The issuer is usually the full URL of the Auth0 application. It can be found in your .well-known/openid-configuration URL, which is usually available at https://{App Domain}/.well-known/openid-configuration . The App Domain can be found in the Settings tab of your Auth0 application. |
audience.allow_list.value | aud | The audience claim is the identifier of your API and can be found in the APIs section of your Auth0 dashboard. |
http.tokens | n/a | This is the location of the token in the incoming request. You do not need to change this value. |
jws.allowed_algorithms | alg | The algorithm your API uses to decode the JWT. You can find this value in Auth0 in your API, on the Settings tab, under Token Settings . |
jws.keys.sources.additional_jkus | n/a | This is the URL to use to verify the JWT signature. It can be found in your .well-known/openid-configuration URL, which is usually available at https://{App Domain}/.well-known/openid-configuration . The App Domain can be found in the Settings tab of your Auth0 application. |
Once you've added these values, you can Save the policy and Save the Edge in
ngrok. Once you follow the instructions to Start a Tunnel
for your edge, you
can test it using curl:
curl --request GET \
--url http://your-ngrok-domain.ngrok-free.dev/ \
--header 'authorization: Bearer YOUR-FULL-JWT-HERE-FROM-STEP-1'
If you were able to see the response from your API, everything is working correctly. You can double check by sending a malformed token.
If you get an error with a valid token, go back and double check that your issuer and audience values are correct in your traffic policy.