x-yc-apigateway-authorizer:jwt
extension
The x-yc-apigateway-authorizer:jwt
extension is used within the securityScheme
Supported parameters
The table below lists the parameters specific to API Gateway API gateways. You can find the description of other parameters in the OpenAPI 3.0 specification
Parameter | Type | Required | Description |
---|---|---|---|
jwksUri |
string |
No | Address at which one can get a public key for JWT signature verification. The keys must be in JWKSjwks_uri field of the configuration file will be used. The configuration file is available at the address specified in the standard openIdConnectUrl parameter. |
identitySource |
IdentitySource |
Yes | Identifies where the token is located in the request. |
issuers |
string[] |
No | Possible iss field values of the token being validated. |
audiences |
string[] |
No | Possible aud field values of the token being validated. |
requiredClaims |
string[] |
No | JWT body fields that must be available in any token being validated. |
authorizer_result_ttl_in_seconds |
int |
No | Time limit on keeping the authorization result stored in the local API Gateway cache. If this parameter is not specified, the response is not cached. |
authorizer_result_caching_mode |
string |
No | Defines the authorization result caching mode. To use it, make sure to specify the authorizer_result_ttl_in_seconds parameter. Possible values: path , uri . |
jwkTtlInSeconds |
int |
No | Time limit on keeping the public key from the response to a request, whose address is specified in the jwksUri parameter, stored in the local API Gateway cache. If this parameter is not specified, the key is not cached. |
You do not need to to specify the openIdConnectUrl
parameter, which is standard for the OpenAPI 3.0 specificationjwksUri
parameter is specified.
The IdentitySource
object may contain the following parameters:
Parameter | Type | Description |
---|---|---|
in |
string |
Token location. The possible values are header , query , or cookie ; the token is provided in the header, query parameter, or cookie, respectively. |
name |
string |
Name of the variable that stores the token. This may be a header or request variable name. |
prefix |
string |
This is an optional parameter. It sets the token prefix. The default value is an empty string. |
Supported signature algorithms
Signature algorithm | alg field value |
---|---|
RSASSA-PKCS1-v1_5 and SHA-256 |
RS256 |
RSASSA-PKCS1-v1_5 and SHA-384 |
RS384 |
RSASSA-PKCS1-v1_5 and SHA-512 |
RS512 |
ECDSA with the P-256 and SHA-256 function |
ES256 |
ECDSA with the P-384 and SHA-384 function |
ES384 |
ECDSA with the P-521 and SHA-512 function |
ES512 |
API call authorization algorithm
Request authorization with a JWT is based on the following algorithm:
-
API Gateway checks whether there is a token in
identitySource
and removes its prefix if it is provided in the specification. -
If the specification allows caching the authorization result and a cached record is still valid, API Gateway returns the cached authorization result. Otherwise, it decodes the token header and body.
-
API Gateway specifies the receiving address of the public key required to validate the electronic signature of the JWS
token. It does this using thejwksUri
parameter value. If thejwksUri
parameter is not provided in the specification, API Gateway uses theopenIdConnectUrl
parameter, which is standard for OpenAPI, to send a request to the address specified in the parameter and retrieves the public key address from thejwks_uri
field located in the body of the response. -
If the specification allows caching public keys and the cached record is still valid, API Gateway uses the receiving address of the public keys and the public key ID (
kid
field of the JWT header) to try and retrieve the public key from the local cache. Otherwise, it queries the public key at its address. The public key whose ID matches thekid
field value in the JWT header is selected from the response body. The retrieved public key is cached if the specification allows this. -
API Gateway checks whether the token signature algorithms and the public key match.
-
API Gateway verifies the token signature.
-
API Gateway checks the token body fields:
exp
: Must be greater than the current UTC time.nbf
: Must be smaller than the current UTC time.iat
: Must be smaller than the current UTC time.iss
: Must take one of the values specified in theissuers
specification parameter.aud
: Must take one of the values specified in theaudiences
specification parameter.
For more information about the fields, see the JWT standard
. -
API Gateway checks that the token body contains the fields set in the
requiredClaims
specification parameter. -
API Gateway checks that the token owner (token's
scope
field value) has all permissions required to get the requested resource.
If any check fails, API Gateway denies access to the requested resource and returns the 403 status code.
Extension specification
Sample extension specification:
paths:
/jwt/header/authorize:
get:
summary: Authorized operation with OpenId Connect security scheme and JWT in header
operationId: httpOpenIdAuthorizeWithJwtInHeader
security:
- jwtHeaderAuthorizer:
- profile:read
- profile:write
x-yc-apigateway-integration:
type: dummy
content:
'*': "Authorized!"
http_code: 200
http_headers:
'Content-Type': "text/plain"
components:
securitySchemes:
jwtHeaderAuthorizer:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration
x-yc-apigateway-authorizer:
type: jwt
authorizer_result_ttl_in_seconds: 3000
jwkTtlInSeconds: 5000
jwksUri: https://example.com/.well-known/jwks.json
issuers:
- https://example.com
- https://example2.com
audiences:
- audience-1
- audience-2
identitySource:
in: header
name: Authorization
prefix: "Bearer "
requiredClaims:
- role
- email
In the above example, API Gateway validates the token in the Authorization
header when accessing the /jwt/query/authorize
resource. To get the token, remove the Bearer
prefix is from the target header value.
For successful authorization:
- The token signature and all common fields must be correct.
- The token must contain the
role
andemail
fields. - The
iss
field value must equalhttps://example.com
orhttps://example2.com
. - The
aud
field value must equalaudience-1
oraudience-2
. - The token must have the
profile:read
andprofile:write
permissions specified.
Caching authorization results
The authorization result is stored in the local API Gateway cache if the extension has the authorizer_result_ttl_in_seconds
parameter specified. If, during the time specified in the authorizer_result_ttl_in_seconds
parameter, another HTTP request with similar caching key components is received again, API Gateway will use the cached response without validating the token signature.
The caching key contents depend on the authorizer_result_caching_mode
value.
path caching mode |
uri caching mode |
No caching mode specified |
---|---|---|
path , operation (HTTP method), and token |
uri , operation (HTTP method), and token |
path , operation (HTTP method), and token |
For example, for the resource ID in the /user/{id}
specification and in the /user/1234
request, if the authorizer_result_caching_mode
parameter value equals path
, /user/{id}
will be used to generate a caching key; if it equals uri
, /user/123
will be used.
Caching public keys
A public key obtained when accessing the address specified in the jwksUri
parameter or the configuration file's jwks_uri
field, is stored in the local API Gateway cache if the extension has the jwkTtlInSeconds
parameter specified.
When generating the cache key, the public key ID (kid
field value from the JWT header) and the address the public key was received at are used.
If an HTTP request requiring a public key with the same address and the kid
key ID is received again within the time specified in jwkTtlInSeconds
, API Gateway will use the response stored in the cache and will not request the public key again.
Authorization context
If the authorization is successful, the JWT authorization context will be provided in the request inside the requestContext.authorizer.jwt
field when invoking a user-defined integration function. The JWT authorization context contains the following parameters:
Parameter | Type | Description |
---|---|---|
claims |
map[string]string |
Token body fields. |
scopes |
list |
Token owner permissions. |
Possible errors
401 Unauthorized
: The client did not provide authorization data in the HTTP request or the provided token is incorrect, e.g., invalid signature, empty required fields, token lifetime expired, etc.403 Forbidden
: The token has no permissions (scope
field) required to access the requested resource.500 Internal Server Error
: API Gateway failed to retrieve the OpenID Connect configuration or incorrect public key structure/returned value.