Add JWT Authentication

You can configure JWT-based authentication for your services hosted on TrueFoundry to ensure that only authenticated traffic can access your endpoints.

The JWT token is sent as part of HTTP requests, and your service verifies it using a public key from the Identity Provider’s (IDP) JSON Web Key Set (JWKS). This ensures the token is valid and untampered, allowing authentication based on its claims.

Integrating Third-Party Identity Providers

Identity providers like Amazon Cognito or Azure AD manage user authentication and issue JWTs. To validate these tokens, you need to configure a Custom JWT Auth integration that specifies:

• Issuer URL – The trusted identity provider.
• JWKS URI – The endpoint for fetching public keys used in token validation.

Creating a Custom JWT Auth Integration

1. Go to the Integrations Page and add a new Custom JWT Auth integration.
2. Provide the following details:
   • Issuer
   • JWKS URI
3. (Optional) If you want to enable OAuth2-based login for services using this integration:
   • Select OAuth2 Client Configuration.
   • Fill in the following fields from your OAuth2 provider:
     • Client ID
     • Client Secret
     • Authorization URL
     • Token URL
     • Scopes (e.g., openid, email, etc.)

Once configured, your service will authenticate incoming requests based on JWT claims, ensuring secure and verified access.

Setting Up Authentication Providers

To integrate JWT authentication, you need to configure an identity provider such as Amazon Cognito, Okta, Google OAuth2, or Microsoft Entra ID.
Each provider has a slightly different setup, but the key steps remain the same:

• Create or use an existing application within the provider.
• Retrieve the Client ID, Client Secret, and OpenID configuration.
• Configure the Issuer, JWKS URI, Authorization URL, and Token URL in TrueFoundry.
• Set up scopes required for authentication.

Below are detailed steps for specific providers.

• Amazon Cognito Setup
• 
  

Enabling JWT Authentication in Your Service

Once you have set up the Custom JWT Auth integration, you can enable authentication in your service deployment.

Steps:

1. Enable Custom Security Rule:

   • Navigate to the Security settings of your service.
   • Select Custom Security Rule and choose the JWT authentication integration from the dropdown.

2. Enable Login (if required):

   • If your service requires OAuth2-based login (typically for frontend applications), enable the "Enable Login" option.
   • This allows users to log in using the OAuth2 provider configured in the integration.

3. Verify Token Claims (Optional):

   • You can enforce additional security by verifying claims in the token.
   • Define accepted values per key to ensure only valid tokens are allowed.
   • Example: Restrict access to users with emails from truefoundry.com:

     "email": "*@truefoundry.com"