Simplified JWT Claims Authorization with Gloo Platform

Ben Lilley | September 28, 2023

Authorizing requests that use JSON Web Tokens (JWT) in Gloo Platform just got easier! In 2.4, we’ve added a new capability that allows JWT authentication and authorization to be performed in a single policy using a single filter. This simplifies configuration and removes additional filter processing from the request path.

old way and new way with JWT claims authorization

Prior to this change, claims-based authorization required converting claims to headers, then using OPA/rego in an ExtAuth Server to validate claims. Not only did that approach require multiple configurations in different resources, but also required an extra network hop to utilize the OPA module in an ExtAuth server.

In addition to simplified claims-based authorization, we’ve also added explicit scopes validation. While scope is “just a claim,” it’s also a special claim defined in RFC 8693 as a space delimited JSON string to be optionally used to validate the security context of the requester. Because the format and semantics of the scope claim is different from other claims, scopes are validated using a new “requiredScopes” field in the JwtPolicy spec.

To learn more about these new features, check out the scope and claim validation page in our docs!