schemas.schema-form.json Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of gravitee-policy-jwt Show documentation
Show all versions of gravitee-policy-jwt Show documentation
Validate the token signature and expiration date before sending the API call to the target backend
The newest version!
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"signature": {
"title": "Signature",
"description": "Define how the JSON Web Token must be signed.",
"type": "string",
"default": "RSA_RS256",
"enum": ["RSA_RS256", "RSA_RS384", "RSA_RS512", "HMAC_HS256", "HMAC_HS384", "HMAC_HS512"],
"x-schema-form": {
"type": "select",
"titleMap": {
"RSA_RS256": "RS256 - RSA signature with SHA-256",
"RSA_RS384": "RS384 - RSA signature with SHA-384",
"RSA_RS512": "RS512 - RSA signature with SHA-512",
"HMAC_HS256": "HS256 - HMAC with SHA-256, requires 256+ bit secret",
"HMAC_HS384": "HS384 - HMAC with SHA-384, requires 384+ bit secret",
"HMAC_HS512": "HS512 - HMAC with SHA-512, requires 512+ bit secret"
}
}
},
"publicKeyResolver": {
"title": "JWKS resolver",
"description": "Define how the JSON Web Key Set is retrieved",
"type": "string",
"default": "GIVEN_KEY",
"enum": ["GIVEN_KEY", "GATEWAY_KEYS", "JWKS_URL"],
"x-schema-form": {
"type": "select",
"titleMap": {
"GIVEN_KEY": "GIVEN_KEY: You must provide a signature key as a resolver parameter according to the signature algorithm",
"GATEWAY_KEYS": "GATEWAY_KEYS: Look for signature key from API Gateway configuration according to issuer and kid from incoming JWT",
"JWKS_URL": "JWKS_URL: Retrieve JWKS from URL (Basically, URL ending with '/.well-known/jwks.json')"
}
},
"gioConfig": {
"banner": {
"title": "JWKS resolver",
"text": "- GIVEN_KEY: You must provide a signature key as a resolver parameter according to the signature algorithm
- GATEWAY_KEYS: Look for signature key from API Gateway configuration according to issuer and kid from incoming JWT
- JWKS_URL: Retrieve JWKS from URL (Basically, URL ending with '/.well-known/jwks.json')
"
}
}
},
"resolverParameter": {
"title": "Resolver parameter",
"description": "Set the signature key GIVEN_KEY or a JWKS_URL following selected resolver (support EL).",
"type": "string",
"format": "gio-code-editor",
"x-schema-form": {
"type": "codemirror",
"codemirrorOptions": {
"placeholder": "Put signature key content here",
"lineWrapping": true,
"lineNumbers": true,
"allowDropFileTypes": true,
"autoCloseTags": true
},
"expression-language": true
}
},
"useSystemProxy": {
"title": "Use system proxy",
"description": "Use system proxy (make sense only when resolver is set to JWKS_URL)",
"type": "boolean",
"default": false
},
"extractClaims": {
"title": "Extract JWT Claims",
"description": "Put claims into the 'jwt.claims' context attribute.",
"type": "boolean",
"default": false
},
"propagateAuthHeader": {
"title": "Propagate Authorization header",
"description": "Allows to propagate Authorization header to the target endpoints",
"type": "boolean",
"default": true
},
"userClaim": {
"title": "User claim",
"description": "Claim where the user can be extracted",
"type": "string",
"default": "sub"
},
"clientIdClaim": {
"title": "Client ID claim",
"description": "Claim where the client ID can be extracted. Configuring this field will override the standard behavior.",
"type": "string"
},
"confirmationMethodValidation": {
"type": "object",
"title": "Confirmation Method Validation",
"properties": {
"ignoreMissing": {
"title": "Ignore missing CNF",
"description": "Will ignore CNF validation if the token doesn't contain any CNF information. Default is false.",
"type": "boolean",
"default": false
},
"certificateBoundThumbprint": {
"type": "object",
"title": "Certificate Bound thumbprint (x5t#S256)",
"properties": {
"enabled": {
"title": "Enable certificate bound thumbprint validation",
"description": "Will validate the certificate thumbprint extracted from the access_token with the one provided by the client. The default is false.",
"type": "boolean",
"default": false
},
"extractCertificateFromHeader": {
"title": "Extract client certificate from headers",
"description": "Enabled to extract the client certificate from request header. Necessary when the M-TLS connection is handled by a proxy.",
"type": "boolean",
"default": false
},
"headerName": {
"title": "Header name",
"description": "Name of the header where to find the client certificate.",
"type": "string",
"default": "ssl-client-cert"
}
}
}
},
"additionalProperties": false
}
},
"required": ["signature", "publicKeyResolver"],
"additionalProperties": false
}