Secure your API with TokenXΒΆ
This how-to guides you through the steps required to secure your API using TokenX:
Grant access to consumersΒΆ
Specify inbound access policies to authorize your consumers:
spec:
tokenx:
enabled: true
accessPolicy:
inbound:
rules:
- application: app-1 # same namespace and cluster
- application: app-2 # same cluster
namespace: team-a
- application: app-3
namespace: team-b
cluster: prod-gcp
The above configuration authorizes the following applications:
- application
app-1running in the same namespace and same cluster as your application - application
app-2running in the namespaceteam-ain the same cluster - application
app-3running in the namespaceteam-bin the clusterprod-gcp
Now that you have granted access to your consumers, they can now exchange tokens for new tokens that target your application. You will need to validate these tokens in your application.
Validate tokensΒΆ
Verify incoming requests from consumers by validating the JWT Bearer token in the Authorization header.
To validate a token, you can either:
- validate tokens with Texas, or
- validate JWTs manually in your application
Validate with TexasΒΆ
Texas is not enabled by default
See the Texas documentation for more information.
Send a HTTP POST request to the endpoint found in the NAIS_TOKEN_INTROSPECTION_ENDPOINT environment variable.
The request must have a Content-Type header set to either:
application/jsonorapplication/x-www-form-urlencoded
The body of the request should contain the following parameters:
| Parameter | Example Value | Description |
|---|---|---|
identity_provider |
tokenx |
Always tokenx. |
token |
eyJra... |
The access token you wish to validate. |
The response is always a HTTP 200 OK response with a JSON body.
It always contains the active field, which is a boolean value that indicates whether the token is valid or not.
Success responseΒΆ
If the token is valid, the response will also contain all the token's claims:
Texas validates the standard claims. Other claims are not validated. Your application must validate these claims according to your own requirements.
Error responseΒΆ
If the token is invalid, the only additional field in the response is the error field:
The error field contains a human-readable error message that describes why the token is invalid.
Validate JWT manuallyΒΆ
Validating a JWT involves a number of steps. These steps are outlined and described below in a language- and framework-agnostic way.
Libraries for token validation
We recommend using a library in your language of choice to handle all the validation steps described below. Here are some recommended libraries:
- navikt/oasis (JavaScript)
- navikt/token-support (Java / Kotlin)
Validation is also supported by many popular frameworks:
- Ktor (Kotlin)
- Spring Security (Java / Kotlin)
To validate the token, start by validating the signature and standard time-related claims.
Additionally, perform the following validations:
Issuer Validation
Validate that the iss claim has a value that is equal to either:
- the
TOKEN_X_ISSUERenvironment variable, or - the
issuerproperty from the metadata discovery document. The document is found at the endpoint pointed to by theTOKEN_X_WELL_KNOWN_URLenvironment variable.
Audience Validation
Validate that the aud claim is equal to TOKEN_X_CLIENT_ID.
Signature Validation
Validate that the token is signed with a public key published at the JWKS endpoint. This endpoint URI can be found in one of two ways:
- the
TOKEN_X_JWKS_URIenvironment variable, or - the
jwks_uriproperty from the metadata discovery document. The document is found at the endpoint pointed to by theTOKEN_X_WELL_KNOWN_URLenvironment variable.
Other Token Claims
Other claims may be present in the token. Validation of these claims is optional.
See the TokenX claims reference for details.