How to configure expected audience for JWT token validation

al43k2l · June 11, 2023, 6:23pm

I’m using Tyk Gateway + Tyk Operator in a Kubernetes cluster. I have ApiDefinition and SecurityPolicy configured to validate JWT token (Auth0) for my API. All works well.

As our IdP may issue valid JWT tokens for different audiences, I want to ensure that when validating requests to /foo, the JWT token contains an aud claim with the value foo-audience. And if requests are sent to /bar, then the JWT token must contain an aud claim bar-audience.

I couldn’t find a setting that allows me to tell Tyk what audience value to check for when validating the JWT token. Is there a way to do so?

I found this topic) that suggests that Tyk does perform some sort of aud validation.

Olu · June 14, 2023, 10:00am

Hi @al43k2l, I think you could use our JWT scope to policy mapping feature

The new syntax of writing it is shown below. The old syntax still works for backward comparability.

"scopes": {
      "jwt": {
        "scope_claim_name": "aud",
        "scope_to_policy": {
          "bar-audience": "bar-audience-policy-id",
          "foo-audience": "foo-audience-policy-id"
        }
      },
      "oidc": {}
    },

In your policy, you can then set the allowed_urls to restrict access based on the policy

...
"access_rights": {
        "sample-service": {
            "api_name": "Sample service API",
            "api_id": "sample-service",
            "versions": [
                "Default"
            ],
            "allowed_urls": [
                {
                    "url": "/foo",
                    "methods": [
                        "GET"
                    ]
                },
                {
                    "url": "/another-subpath-example",
                    "methods": [
                        "OPTIONS",
                        "HEAD"
                    ]
                }
            ], ...

Hope this helps.

al43k2l · June 14, 2023, 12:46pm

Thanks a lot @Olu for the suggestion!