github.com/nginxinc/kubernetes-ingress@v1.12.5/examples/jwt/README.md (about) 1 # Support for JSON Web Tokens (JWTs) 2 3 NGINX Plus supports validating JWTs with [ngx_http_auth_jwt_module](https://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html). 4 5 The Ingress controller provides the following 4 annotations for configuring JWT validation: 6 7 * Required: ```nginx.com/jwt-key: "secret"``` -- specifies a Secret resource with keys for validating JWTs. The keys must be stored in the `jwk` data field. The type of the secret must be `nginx.org/jwk`. 8 * Optional: ```nginx.com/jwt-realm: "realm"``` -- specifies a realm. 9 * Optional: ```nginx.com/jwt-token: "token"``` -- specifies a variable that contains JSON Web Token. By default, a JWT is expected in the `Authorization` header as a Bearer Token. 10 * Optional: ```nginx.com/jwt-login-url: "url"``` -- specifies a URL to which a client is redirected in case of an invalid or missing JWT. 11 12 ## Example 1: the Same JWT Key for All Paths 13 14 In the following example we enable JWT validation for the cafe-ingress Ingress for all paths using the same key `cafe-jwk`: 15 ```yaml 16 apiVersion: networking.k8s.io/v1beta1 17 kind: Ingress 18 metadata: 19 name: cafe-ingress 20 annotations: 21 nginx.com/jwt-key: "cafe-jwk" 22 nginx.com/jwt-realm: "Cafe App" 23 nginx.com/jwt-token: "$cookie_auth_token" 24 nginx.com/jwt-login-url: "https://login.example.com" 25 spec: 26 tls: 27 - hosts: 28 - cafe.example.com 29 secretName: cafe-secret 30 rules: 31 - host: cafe.example.com 32 http: 33 paths: 34 - path: /tea 35 backend: 36 serviceName: tea-svc 37 servicePort: 80 38 - path: /coffee 39 backend: 40 serviceName: coffee-svc 41 servicePort: 80 42 ``` 43 * The keys must be deployed separately in the Secret `cafe-jwk`. 44 * The realm is `Cafe App`. 45 * The token is extracted from the `auth_token` cookie. 46 * The login URL is `https://login.example.com`. 47 48 ## Example 2: a Separate JWT Key Per Path 49 50 In the following example we enable JWT validation for the [mergeable Ingresses](../mergeable-ingress-types) with a separate JWT key per path: 51 52 * Master: 53 ```yaml 54 apiVersion: networking.k8s.io/v1beta1 55 kind: Ingress 56 metadata: 57 name: cafe-ingress-master 58 annotations: 59 kubernetes.io/ingress.class: "nginx" 60 nginx.org/mergeable-ingress-type: "master" 61 spec: 62 tls: 63 - hosts: 64 - cafe.example.com 65 secretName: cafe-secret 66 rules: 67 - host: cafe.example.com 68 ``` 69 70 * Tea minion: 71 ```yaml 72 apiVersion: networking.k8s.io/v1beta1 73 kind: Ingress 74 metadata: 75 name: cafe-ingress-tea-minion 76 annotations: 77 kubernetes.io/ingress.class: "nginx" 78 nginx.org/mergeable-ingress-type: "minion" 79 nginx.com/jwt-key: "tea-jwk" 80 nginx.com/jwt-realm: "Tea" 81 nginx.com/jwt-token: "$cookie_auth_token" 82 nginx.com/jwt-login-url: "https://login-tea.cafe.example.com" 83 spec: 84 rules: 85 - host: cafe.example.com 86 http: 87 paths: 88 - path: /tea 89 backend: 90 serviceName: tea-svc 91 servicePort: 80 92 ``` 93 94 * Coffee minion: 95 ```yaml 96 apiVersion: networking.k8s.io/v1beta1 97 kind: Ingress 98 metadata: 99 name: cafe-ingress-coffee-minion 100 annotations: 101 kubernetes.io/ingress.class: "nginx" 102 nginx.org/mergeable-ingress-type: "minion" 103 nginx.com/jwt-key: "coffee-jwk" 104 nginx.com/jwt-realm: "Coffee" 105 nginx.com/jwt-token: "$cookie_auth_token" 106 nginx.com/jwt-login-url: "https://login-coffee.cafe.example.com" 107 spec: 108 rules: 109 - host: cafe.example.com 110 http: 111 paths: 112 - path: /coffee 113 backend: 114 serviceName: coffee-svc 115 servicePort: 80 116 ``` 117