Token (JWT) Auth
Overview
Auth using a Token (JWT)
Parameters
| Parameter | Parameter | Valid Blocks | Required |
|---|---|---|---|
Manually Configure instead of using JWKS URL | Manually configure instead of automatically using a JWKS URL. | Boolean Block Group | No |
Auto Configure - Public key JWKS URL | The JWKS URL used to auto configure the public key. | Text Block Group | No |
PEM-encoded RSA Public Key | The PEM-encoded RSA *Public* key for signature verification | Text Block Group | No |
Allowed Signing Algorithm | The allowed signing algorithm. This prevents algorithm substitution attacks by ensuring only specified algorithms are accepted (eg. "RS256"). | Text Block Group | No |
Show Advanced Options | If on, exposes advanced options. | Boolean Block Group | No |
Token Location | TokenLocation is where the JWT can be found in the request (ie. one of Header or Cookie) | Text Block Group | No |
Auth Container Name | AuthContainerName is the name of the header or cookie containing the JWT | Text Block Group | No |
Expected Issuer (iss) | The Expected Issuer (eg. "https://example.com"). This ensures the token was issued by a trusted entity. | Text Block Group | No |
Expected Subject (sub) | The Expected subject (eg. "user123", "admin123"). This can be used to ensure the token is for a specific user or entity. | Text Block Group | No |
Expected Audience (aud) | The Expected audience (eg. "my-backend-api"). Represents the intended recipient of the token, often the backend system or API that will validate and process the token. This ensures that the token is being sent to the correct server or service (Comnoco). | Text Block Group | No |
Expected Authorized Party (azp) | Expected authorized party (eg. "https://my-app.com"). Represents the client or frontend system that is authorized to use the token, often the application or service that initially requested the token from the authorization server. | Text Block Group | No |