JWT Verification

Cloud Protect function can authenticate JWTs with an OpenID endpoint or a stored certificate/secret.

JWT Verification

Cloud Protect function can authenticate JWTs with an OpenID endpoint or a stored certificate/secret.

The protector must be able to reach specified OpenID endpoint to obtain the public key when OpenID settings are enabled. The retrieved key is used to verify the signature. Several additional claims are verified against the configuration provided to the protect function when OpenID is enabled: issuer, audience, appid (optional).

Availability of an OpenID endpoint from the protector may not be feasible or a non-OpenID issuer may be in use. In those cases, a stored certificate/secret may be used to validate the jwt signature by enabling jwt_verify and including a base64 encoded certificate/secret in jwt_secret_base64 configuration. Additional claims are not verified.

Secret

Stored secret verification example using jwt_verify and jwt_secret_base64 configurations:

Navigate to the cloud function main.tf configuration file, and find the section Parameters applicable when authorization = jwt
Edit/replace the entries as indicated below, then save and apply the configuration:

Parameter	Value	Notes
authorization	JWT
jwt_verify	1
jwt_secret_base64	Secret in base64 encoding. For example, the value of the public key is as follows. `-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4fkg/JYyN3Skr6RYLiAd/Yhl0 2TE3/HzHSNPnCaRdUakGp9og7oXBMcoadFDjnoSq1sz+gUHnpoO7s2fwkD5Q4OnC BGD3oKP2A4PlOOWD2B2cVmMqX/vf1nAA/343496jsbfgkh1Q7LTzR0IXfdii0o1U CbvrVCuaBoyiv4TxWQIDAQAB -----END PUBLIC KEY-----` This public key will be stored as follows. `LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tL S0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUV VBQTRHTkFEQ0JpUUtCZ1FDNGZrZy9KWXl OM1NrcjZSWUxpQWQvWWhsMAoyVEUzL0h6 SFNOUG5DYVJkVWFrR3A5b2c3b1hCTWNvY WRGRGpub1NxMXN6K2dVSG5wb083czJmd2 tENVE0T25DCkJHRDNvS1AyQTRQbE9PV0Q yQjJjVm1NcVgvdmYxbkFBLzM0MzQ5Nmpz YmZna2gxUTdMVHpSMElYZmRpaTBvMVUKQ 2J2clZDdWFCb3lpdjRUeFdRSURBUUFCCi 0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==`	The secret must be in base64. We recommend using RSA public certificates, it is not recommended to keep Hash (symmetric) secrets in the clear.

Parameter

Value

Notes

authorization

JWT

jwt_verify

jwt_secret_base64

Secret in base64 encoding. For example, the value of the public key is as follows.

This public key will be stored as follows.

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tL
S0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUV
VBQTRHTkFEQ0JpUUtCZ1FDNGZrZy9KWXl
OM1NrcjZSWUxpQWQvWWhsMAoyVEUzL0h6
SFNOUG5DYVJkVWFrR3A5b2c3b1hCTWNvY
WRGRGpub1NxMXN6K2dVSG5wb083czJmd2
tENVE0T25DCkJHRDNvS1AyQTRQbE9PV0Q
yQjJjVm1NcVgvdmYxbkFBLzM0MzQ5Nmpz
YmZna2gxUTdMVHpSMElYZmRpaTBvMVUKQ
2J2clZDdWFCb3lpdjRUeFdRSURBUUFCCi
0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==

The secret must be in base64. We recommend using RSA public certificates, it is not recommended to keep Hash (symmetric) secrets in the clear.

OpenID

Verification example using openid_* configuration parameters:

Navigate to the cloud function main.tf configuration file, and find the section Parameters applicable when openid_enabled = true
Edit/replace the entries as indicated below, then save and apply the configuration:

Parameter	Value	Notes
openid_enabled	true
openid_audiences	Audience as it would appear in the aud claim, for example “https://management.azure.com/"	Can be either one value or comma separated list.
openid_issuers	Issuer as it would appear in the iss claim, for example “https://sts.windows.net/bca3157d-b8d9-4ca8-a724-1c7e2b96e1ef"	Can be either one value or comma separated list.
openid_appid	Appid as it would appear in the appid claim, for example “9ada3e7d-4ec4-48da-9d69-5379b7984fe1”	Optional. If value is “”, appid claim is ignored. When openid_appid is provided, it must match the appid claim of the token.

Feedback

Was this page helpful?

Last modified : March 31, 2026