You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns
Potential misguidance: The JWKS examples include an HTTP URL and the Split Token flow implies storing sensitive data in Redis without explicit guidance on TTL, eviction, encryption, and access controls. Recommend adding notes to use HTTPS for JWKS endpoints and to configure Redis security (TLS, auth, restricted ACLs) and appropriate expirations for stored JWT components.
In the FAQ, references to JWTJwksURIs and CacheTimeout differ from the main doc's <jwtAuthScheme>.jwksURIs and cacheTimeout. Align naming to avoid confusion.
<li>
<details>
<summary>How do I handle JWTs signed with different keys (e.g., from different issuers)?</summary>
You can use JWKS (JSON Web Key Sets) by configuring `JWTJwksURIs` with the URLs of your JWKS endpoints. Tyk will automatically fetch and use the appropriate key based on the kid (Key ID) in the token header.
</details>
</li>
<li>
<details>
<summary>What happens if the JWKS endpoint is temporarily unavailable?</summary>
Tyk caches JWKS responses. You can configure the cache timeout using the CacheTimeout parameter in the `JWTJwksURIs` configuration. This ensures that temporary JWKS endpoint outages don't affect API availability.
</details>
</li>
<li>
<details>
<summary>Can I use JWKS endpoints with symmetric cryptography (HMAC)?</summary>
No, JWKS endpoints are designed for asymmetric cryptography (RSA and ECDSA), where public keys are used for signature verification. Symmetric cryptography (HMAC) requires a shared secret, which cannot be retrieved from a JWKS endpoint.
</details>
</li>
<li>
<details>
<summary>How often does Tyk refresh the JWKS cache?</summary>
By default, Tyk refreshes the JWKS cache every 240 seconds. However, you can customize the cache timeout for each JWKS endpoint in Tyk OAS APIs using the `cacheTimeout` field in the API definition.
</details>
</li>
The Split Token guide mentions storing JWT components in Redis but doesn’t discuss TTL/expiration, key namespace, or encryption at rest. Add guidance to mitigate persistence and leakage risks.
// 4. Store the complete JWT in Tyk's Redis database using the signature as the key
// This function would use Tyk's storage API to save the data
storeJWTComponents(signature, header, payload, fullJWT);
// 5. Modify the response to return only the signature
responseBody.access_token = signature;
return TykJsResponse({
Body: JSON.stringify(responseBody),
Code: 200
}, session.meta_data);
}
```
Note that this example includes some level of abstraction for clarity and so is not a full implementation.
2. **Configure Custom Pre-Auth Plugin**
Next, create a custom pre-auth plugin that reconstructs the JWT before it reaches the standard Tyk JWT Auth middleware:
```javascript
function reconstructJWT(request, session, config) {
// 1. Extract the signature from the Authorization header
var authHeader = request.Headers["Authorization"];
var signature = authHeader.replace("Bearer ", "");
// 2. Retrieve the stored JWT components using the signature
var storedJWT = retrieveJWTComponents(signature);
if (!storedJWT) {
return TykJsResponse({
Body: "Invalid token",
The intra-doc links point to generic anchors under /api-management/authentication, which may not exist after the split. Update links to the new dedicated page sections within this file to prevent broken navigation.
-Tyk can retrieve public keys from JSON Web Key Sets (JWKS) endpoints to validate the signature of incoming JWTs. Tyk supports configuring [single](/api-management/authentication#single-jwks-endpoint) or [multiple](/api-management/authentication#multiple-jwks-endpoints) JWKS endpoints with [caching](/api-management/authentication#jwks-caching) capabilities.+Tyk can retrieve public keys from JSON Web Key Sets (JWKS) endpoints to validate the signature of incoming JWTs. Tyk supports configuring [single](#single-jwks-endpoint) or [multiple](#multiple-jwks-endpoints) JWKS endpoints with [caching](#jwks-caching) capabilities.
Suggestion importance[1-10]: 8
__
Why: After splitting docs, the original links to /api-management/authentication#... would likely break; switching to local anchors matches section headers present in this file and preserves navigation.
Medium
Correct configuration key casing
The property name AllowedIssuers does not match earlier naming conventions used in OAS fragments (lower camel or snake). Replace with the correct configuration key used elsewhere (e.g., allowedIssuers) to avoid misconfiguration.
## FAQ
<ul>
<li>
<details>
<summary>Can I restrict which issuers' tokens are accepted?</summary>
-Yes, you can configure `AllowedIssuers` to specify which iss (issuer) claim values are accepted. Tokens from other issuers will be rejected.+Yes, you can configure `allowedIssuers` to specify which iss (issuer) claim values are accepted. Tokens from other issuers will be rejected.
</details>
</li>
Suggestion importance[1-10]: 5
__
Why: The change from AllowedIssuers to allowedIssuers improves consistency, but the correct key is not definitively established in this diff; it's a reasonable style fix with moderate impact.
Low
Possible issue
Fix inconsistent field name
The field name JWTJwksURIs is inconsistent with earlier examples that use .jwksURIs. Align terminology to avoid configuration errors. Update the reference to jwksURIs to match the API definition and examples.
-You can use JWKS (JSON Web Key Sets) by configuring `JWTJwksURIs` with the URLs of your JWKS endpoints. Tyk will automatically fetch and use the appropriate key based on the kid (Key ID) in the token header.+You can use JWKS (JSON Web Key Sets) by configuring `jwksURIs` with the URLs of your JWKS endpoints. Tyk will automatically fetch and use the appropriate key based on the kid (Key ID) in the token header.
Suggestion importance[1-10]: 7
__
Why: The doc elsewhere consistently uses jwksURIs; correcting JWTJwksURIs prevents configuration confusion and aligns with prior examples. The change is accurate and improves clarity, though not a critical bug fix.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Type
Documentation
Description
Add JWT signature validation documentation
Introduce JWT Split Token guide
Enhance JWT claim validation with FAQ
Refine JWT authorization description
Diagram Walkthrough
File Walkthrough
jwt-authorization.mdx
Clarify JWT authorization descriptionapi-management/authentication/jwt-authorization.mdx
jwt-claim-validation.mdx
Add JWT claim validation FAQapi-management/authentication/jwt-claim-validation.mdx
jwt-signature-validation.mdx
Add JWT signature validation guideapi-management/authentication/jwt-signature-validation.mdx
jwt-split-token.mdx
Introduce JWT Split Token documentationapi-management/authentication/jwt-split-token.mdx
json-web-tokens.mdx
Extract signature/split-token into dedicated pagesbasic-config-and-security/security/authentication-authorization/json-web-tokens.mdx
docs.json
Update docs navigation for new JWT pagesdocs.json