JSON Web Tokens Validation
JSON web tokens (JWT) are often used as part of an authentication component on many web applications today. Since JWTs are crucial to identifying users and their access, ensuring the token’s integrity is important.
API Shield’s JWT Validation stops JWT replay attacks and JWT tampering by cryptographically verifying incoming JWTs before they are passed to your API origin. JWT Validation will also stop requests with expired tokens or tokens that are not yet valid.
Endpoints must be added to Endpoint Management for JWT Validation to protect them.
A JWT Validation configuration consists of creating a Token Validation Configuration by adding your JWT signer's public JSON Web Key Set (JWKS) and a JWT Validation Rule by specifying which hostnames and endpoints should be included for validation.
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Security > API Shield > Settings.
- Under JSON Web Token Settings, select Add configuration.
- Add a name for your configuration.
- Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name.
- Copy and paste your JWT issuer’s public key(s) (JWKS).
Each JWT issuer typically publishes public keys (JWKS) for verification at a known URL on the Internet. If you do not know where to get them, contact your identity administrator.
To automatically keep your JWKS up to date when your identity provider refreshes them, you can use a Worker. Refer to Configure Workers to automatically update keys to learn more about setting up the Worker.
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Security > API Shield > API Rules.
- Add a name for your rule.
- Select a hostname to protect requests with saved endpoints using the rule.
- Deselect any endpoints that you want JWT Validation to ignore (for example, an endpoint used to generate a JWT).
- Select the Token Validation Configuration that corresponds to the incoming requests.
- Choose whether to strictly enforce token presence on these endpoints.
- You may not expect 100% of clients to send in JWTs with their requests. If this is the case, choose Ignore. JWT Validation will still validate JWTs that are present.
- You may otherwise expect all requests to the selected hostname and endpoints to contain JWTs. If this is the case, choose Mark as non-compliant.
- Choose an action to take for non-compliant requests. For example, JWTs that do not pass validation (expired, tampered with, or bad signature tokens) or requests with missing JWTs when Mark as non-compliant is selected in the previous step.
- Select Save.
If you expect that two different JWTs should be present in a request and you want to validate both, you must create two different token configurations. When selecting the two configurations in your validation rule, select Validate all configurations under Validation behavior for multiple configurations.
If you expect to migrate between two different identity providers, you must create two different token configurations and two different validation rules, each corresponding to its own configuration. With this setup, you can change the action for different validation rules depending on the state of your migration.
API Shield will verify JSON Web Tokens regardless of whether or not they have the Bearer prefix.
JWT Validation is available for all API Shield customers. Enterprise customers who have not purchased API Shield can preview API Shield as a non-contract service ↗ in the Cloudflare dashboard or by contacting your account team.
Currently, the following known limitations exist:
- JWT Validation only operates on JWTs sent in client request headers or cookies. If your clients send in JWTs in a POSTbody, direct that feedback to your account team.
- JWT Validation only operates for endpoints (host, method, and path) added to Endpoint Management. You can add all of your endpoints to endpoint management through API Discovery, Schema Validation, manually via the Cloudflare dashboard, or via the API.