search
GreyMatter.ioTwitterGitHubSupport

JWT Security

Configuration details for the Grey Matter JWT Security service.

You can deploy the Grey Matter JSON Web Token (JWT) Service many ways, including the following:

  • The preferred approach is to deploy via a Docker container running inside of an OpenShift or Kubernetes Pod.

  • The service is also packaged as a TAR file. The TAR contains an executable binary file you can deploy to a server.

Follow the configuration requirements below to set up the Grey Matter JWT Security service.

hashtag
Prerequisites

hashtag
Environment Variables

There are three required pieces of information to configure and run the service.

  • Set JWT_API_KEY as an environment variable

  • Set PRIVATE_KEY and USERS_JSON as a base64 encoded string, or as a volume mount (recommended)

  • If both are provided, the volume mount supersedes the set variable

Variable
Mount Location
Default Value
Description
Type

JWT_API_KEY

-

""

base64 encoded string of comma separated api keys

base64

PRIVATE_KEY

/gm-jwt-security/certs/jwtES512.key

""

base64 encoded private key file

base64

USERS_JSON

/gm-jwt-security/etc/users.json

""

base64 encoded users.json file

base64

JWT_API_KEY is the base64 encoding of a comma separated list of API keys.

The users.json file should have a users field that contains an array of user payloads. This is an example:

{
  "users": [
    {
      "label": "CN=localuser,OU=Engineering,O=Decipher Technology Studios,=Alexandria,=Virginia,C=US",
      "values": {
        "email": [
          "localuser@deciphernow.com"
        ],
        "org": [
          "www.deciphernow.com"
        ]
      }
    },
    {
      "label": "cn=chris.holmes, dc=deciphernow, dc=com",
      "values": {
        "email": [
          "chris.holmes@deciphernow.com"
        ],
        "org": [
          "www.deciphernow.com"
        ],
        "privilege": [
          "root"
        ]
      }
    }
  ]
}
circle-info

Note: any service that provides the header api-key with a value matching one of the values in this list will have access to the /policies endpoint of the service, and can receive full jwt tokens.

hashtag
Example

For the API key, list: 123,my-special-key,super-secret-key,pub-keyandJWT_API_KEY set to the value of:

Any service that provides the header api-key with a value matching one of the following will have access:

  • 123

  • my-special-key

  • super-secret-key

  • pub-key

hashtag
Redis

The gm-jwt-security services creates and writes jwt tokens to a Redis server. In order to successfully generate and store jwt tokens, a Redis client must be implemented to connect to a server using information from the following environment variables.

Variable
Default Value
Description
Type

REDIS_HOST

"0.0.0.0"

host name of Redis server

string

REDIS_PORT

"6379"

port number of Redis server

string

REDIS_DB

0

Redis database to be selected after connecting to the server

uint

REDIS_PASS

"123"

password for Redis server

string

hashtag
Optional Configuration

The following environment variables can be set to specify the host, ports, and logging capabilities of the gm-jwt-service. To specify an expiration time for generated tokens, set TOKEN_EXP_TIME.

Variable
Default Value
Description
Type

BIND_ADDRESS

"0.0.0.0"

bind address for the gm-jwt-security server

string

HTTP_PORT

8080

http port for the server

uint

HTTPS_PORT

9443

https port for the server

uint

ZEROLOG_LEVEL

"WARN"

logging level: INFO, DEBUG, WARN, ERR

string

TOKEN_EXP_TIME

28800

token expiration time in seconds

uint

DEFAULT_PATH

"/services/"

default path to apply to cookies generated by the /policies endpoint

string

hashtag
Configure LDAP

The gm-jwt-security service supports LDAP as a backend server to search for user payloads.

circle-info

Note: if LDAP is configured, it will take precedence over the users.json file. If LDAP is not configured, the configured USERS_JSON file will be searched for user payloads.

hashtag
Configure TLS

TLS can be configured on the gm-jwt-security service using TLS Configuration.

hashtag
Logging

The log level set by the ZEROLOG_LEVEL variable can be retrieved and dynamically changed via the following requests:

hashtag
GET /logging

Returns the current log level.

hashtag
PUT /logging?level=<log-level>

Updates the log level to the level indicated in query parameter level.

Level should be one of: error, warn, info, debug.

hashtag
Questions

circle-check

Need help configuring JWT? Contact us at: Grey Matter Supportarrow-up-right.

PreviousDebugNextLDAP Configuration

Last updated

Was this helpful?