JWT Authentication
JWT Authentication
Secure, stateless authentication for the Control Plane
JSON Web Tokens (JWT) are used throughout the Control Plane for authentication and authorization.
Token-based authentication
JWTs provide a secure, stateless mechanism for authenticating users and services across the distributed Control Plane architecture.
Overview
JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. The Control Plane uses JWTs for:
👤 User Authentication
Authenticating end users accessing Control Plane services and interfaces.
🔄 Service-to-Service
Secure communication between Control Plane microservices.
🔒 Role-Based Access
Implementing fine-grained role-based access control across services.
🔑 API Authorization
Securing API endpoints against unauthorized access.
🔍 Identity Verification
Validating user and service identities throughout the system.
📊 Audit Trail
Tracking user actions through JWT subject and claims.
Why JWT?
Stateless Architecture
JWTs enable a stateless authentication architecture:
- No need to store session data on the server
- Improved scalability with horizontally scaled services
- Reduced database load for authentication checks
- Self-contained tokens with all necessary information
- Works seamlessly across multiple services
Security Features
JWTs provide robust security through:
- Cryptographic signing to verify integrity
- Expiration timestamps to limit token lifetime
- Standard claim validation for issuer and audience
- Support for multiple signing algorithms
- Ability to encode permissions directly in the token
JWT Integration
Middleware approach
The Control Plane uses middleware to handle JWT authentication, making it easy to secure endpoints with minimal code duplication.
The Control Plane uses the github.com/gofiber/contrib/jwt middleware for JWT authentication:
func setupAuth(app *fiber.App) {
app.Use(jwt.New(jwt.Config{
SigningKey: []byte(os.Getenv("JWT_SECRET")),
SigningMethod: "HS256",
ErrorHandler: func(c *fiber.Ctx, err error) error {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
"error": "Unauthorized",
"message": err.Error(),
})
},
}))
}
Protecting Routes
Selective protection
Routes can be selectively protected by applying middleware at different levels or to specific route groups.
JWT Structure
Token structure
Understanding the JWT structure is key to properly implementing and troubleshooting authentication in the Control Plane.
JWTs used in the Control Plane follow a standard three-part structure:
Example JWT
{
"header": {
"alg": "RS256",
"typ": "JWT",
"kid": "2022-key-1"
},
"payload": {
"sub": "user-123",
"name": "John Doe",
"roles": ["admin", "editor"],
"groups": ["group-123", "group-456"],
"exp": 1640995200,
"iat": 1640908800,
"iss": "https://auth.telekom.de"
},
"signature": "signature-data"
}
Standard Claims
sub (Subject)
Unique identifier for the user or service. In the Control Plane, this is typically a user ID or service name.
exp (Expiration)
Unix timestamp indicating when the token expires. The Control Plane validates this claim to ensure tokens are not used after expiration.
iat (Issued At)
Unix timestamp indicating when the token was issued. Used for token tracking and audit purposes.
iss (Issuer)
Entity that issued the token. The Control Plane validates this to ensure tokens come from trusted sources.
aud (Audience)
Intended recipient of the token. Used to ensure tokens are used only with intended services.
jti (JWT ID)
Unique identifier for the token. Used for token revocation and tracking.
Custom Claims
Custom claims
The Control Plane extends standard JWT claims with custom claims for role-based access control and multi-tenancy.
roles
Array of role strings assigned to the user.
Example:
{"roles": ["admin", "editor", "viewer"]}
Used for role-based access control across services.
groups
Array of group identifiers the user belongs to.
Example:
{"groups": ["finance", "marketing"]}
Used for organizational access boundaries.
permissions
Fine-grained permission descriptors.
Example:
{
"permissions": {
"files": ["read", "write"],
"users": ["read"]
}
}
tenant
Multi-tenancy identifier for resource isolation.
Example:
{"tenant": "org-123456"}
Ensures users can only access resources within their tenant.
RBAC with JWT
Role-based access
Role-based access control is implemented through JWT claims, allowing for consistent access control across all Control Plane services.
Role Hierarchy
Role hierarchy
The Control Plane implements a role hierarchy where higher-level roles inherit permissions from lower-level roles.
Token Validation
Comprehensive validation
Always validate JWT tokens thoroughly for security. The Control Plane performs multiple validation steps to ensure token integrity and authenticity.
The Control Plane validates JWTs for:
✅ Signature Integrity
Verifies the token has not been tampered with using cryptographic signatures.
⏱️ Expiration Time
Checks that the token has not expired based on the 'exp' claim.
🔍 Issuer Validation
Confirms the token was issued by a trusted source using the 'iss' claim.
👥 Audience Verification
Ensures the token is intended for the current service using the 'aud' claim.
🔄 Not Before Time
Verifies the token is not used before its valid time using the 'nbf' claim.
⚙️ Algorithm Validation
Confirms the token uses the expected signing algorithm.
Token Generation
Token issuance
Services in the Control Plane generate JWTs for clients after successful authentication, using secure methods to create signed tokens.
Services in the Control Plane generate JWTs for clients:
Security Best Practices
JWT security
The Control Plane follows these security best practices for JWT implementation to minimize vulnerability risks.
Short-lived Tokens
The Control Plane uses short-lived access tokens to reduce the risk of token misuse:
- Access tokens expire in 1 hour or less
- Refresh tokens have a maximum lifetime of 7 days
- Session tokens include device fingerprinting
- Critical operations require re-authentication
Secret Management
JWT signing secrets are carefully managed:
- Secrets stored in Kubernetes secrets or Vault
- Different keys for development and production
- Regular key rotation (every 90 days)
- Key compromise procedures in place
- Minimum 256-bit key strength
Algorithm Selection
The Control Plane uses robust algorithms:
- RS256 (RSA Signature with SHA-256) for production
- HS256 (HMAC with SHA-256) for development/testing
- Explicitly verifies the algorithm in tokens
- Rejects tokens with "none" algorithm
Transport Security
JWTs are always transmitted securely:
- TLS/HTTPS for all API communications
- Token transmitted in Authorization header
- No storage in local storage or cookies (XSS protection)
- Secure, HttpOnly cookies when browser storage is needed
Related Resources
Gofiber
Learn about the web framework used in conjunction with JWT authentication.
Architecture
Understand how JWT fits into the overall Control Plane architecture.