JSON Web Tokens Validation
JSON web tokens (JWT) are often used as part of an authentication component on many web applications today. Since JWTs are crucial to identifying users and their access, ensuring the token’s integrity is important.
API Shield’s JWT Validation stops JWT replay attacks and JWT tampering by cryptographically verifying incoming JWTs before they are passed to your API origin. JWT Validation will also stop requests with expired tokens or tokens that are not yet valid.
Process
Endpoints must be added to Endpoint Management for JWT Validation to protect them.
A JWT Validation configuration consists of creating a Token Validation Configuration by adding your JWT signer’s public keys and a JWT Validation Rule by specifying which hostnames and endpoints should be included for validation.
Add a Token Validation Configuration
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to Security > API Shield > Settings.
- Under JSON Web Token Settings, select Add configuration.
- Add a name for your configuration.
- Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name.
- Copy and paste your JWT issuer’s public key(s).
To automatically keep your keys up to date when your identity provider refreshes them, you can use a Worker. Refer to Configure Workers to automatically update keys to learn more about setting up the Worker.
Add a JWT Validation Rule
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to Security > API Shield > API Rules.
- Add a name for your rule.
- Select a hostname to protect requests with saved endpoints using the rule.
- Deselect any endpoints that you want JWT Validation to ignore (for example, an endpoint used to generate a JWT).
- Select the Token Validation Configuration that corresponds to the incoming requests.
- Choose whether to strictly enforce token presence on these endpoints.
- You may not expect 100% of clients to send in JWTs with their requests. If this is the case, choose Ignore. JWT Validation will still validate JWTs that are present.
- You may otherwise expect all requests to the selected hostname and endpoints to contain JWTs. If this is the case, choose Mark as non-compliant.
- Choose an action to take for non-compliant requests. For example, JWTs that do not pass validation (expired, tampered with, or bad signature tokens) or requests with missing JWTs when Mark as non-compliant is selected in the previous step.
- Select Save.
Special cases
Validate two JWTs with different identity providers on a single request
If you expect that two different JWTs should be present in a request and you want to validate both, you must create two different token configurations. When selecting the two configurations in your validation rule, select Validate all configurations under Validation behavior for multiple configurations.
Support a migration from one identity provider to another
If you expect to migrate between two different identity providers, you must create two different token configurations and two different validation rules, each corresponding to its own configuration. With this setup, you can change the action for different validation rules depending on the state of your migration.
Availability
JWT Validation is available for all API Shield customers. Enterprise customers who have not purchased API Shield can preview API Shield as a non-contract service in the Cloudflare dashboard or by contacting your account team.
Limitations
Currently, the following limitations are in place while we operate the closed beta:
JWT Validation configuration is only available via API today. For help configuring JWT Validation using the Cloudflare API, refer to configuring JWT Validation.
JWT Validation only operates on JWTs sent in client request headers. If your clients send in JWTs in cookies or
POST
bodies, direct that feedback to your account team.There can only be a single JWT Validation configuration per zone. We intend to remove these limitations in the near future.
JWT Validation only operates for endpoints (host, method, and path) added to Endpoint Management.
JWT Validation only operates on JWTs sent in client request headers or cookies. If your clients send in JWTs in a
POST
body, direct that feedback to your account team.JWT Validation only operates for endpoints (host, method, and path) added to Endpoint Management.