All Products
Search
Document Center

Function Compute:Configure JWT authentication for custom domain names

Last Updated:Feb 02, 2024

JSON Web Token (JWT) is an easy-to-use token-based method to authenticate requests. JWT authentication uses tokens that are provided by clients to store user status information. Functions do not need to store user status information. This makes JWT authentication an ideal method for serverless applications. Function Compute uses the public JSON Web Key Set (JWKS) that is bound to a custom domain name to implement JWT authentication for requests that are sent to the custom domain name. Function Compute also forwards claims to functions based on the configurations of the custom domain name. This way, request authentication is not required in functions and you can focus only on business logic.

Background information

Overview

JWT is an easy-to-use token-based method to authenticate requests. For more information, see RFC 7519. JWT authentication uses tokens that are provided by clients to store user status information. Functions do not need to store user status information. This makes JWT authentication an ideal method for serverless applications. Function Compute uses the public JWKS that is bound to a custom domain name to implement JWT authentication for requests that are sent to the custom domain name. Function Compute also forwards claims to functions based on the configurations of the custom domain name. This way, request authentication is not required in functions and you can focus only on business logic. For information about the authentication process and basics of JWT tokens, see JWT-based authentication and Introduction to JSON Web Tokens.

JWT authentication process

The JWT authentication process for custom domain names is the same as the JWT authentication process for HTTP triggers.

image

The preceding figure shows the JWT authentication process for HTTP triggers in Function Compute. In the process, an asymmetric encryption algorithm is used. The following items describe the details of the process:

  1. The client sends an authentication request to a custom authorizer. In most cases, the username and password of the user are specified in the request.

  2. The custom authorizer reads and verifies authentication information, such as the username and password of the user, in the request. After the request passes verification, the authorizer uses a private key to generate a standard token.

  3. The custom authorizer forwards the response that contains the token to the client. The client caches the token to an on-premises machine.

  4. The client sends a business request that contains the token to the HTTP trigger.

  5. The HTTP trigger uses the configured public key to verify the token in the request.

  6. After the verification is passed, the request is passed to the protected function.

  7. The protected function processes and responds to the request.

  8. The HTTP trigger forwards the business response to the client.

Limits

  • You can generate and distribute JWTs based on your business requirements. Function Compute authenticates the JWTs by using the public JWKS that is configured for a trigger.

  • JSON Web Keys (JWKs) that do not contain the key IDs (kid) are supported.

  • You can configure multiple JWKs for a trigger.

  • You can read tokens from the header, Query, form, and cookie parameters.

  • You can forward claims as the header, Query, form, and cookie parameters to functions.

  • Function Compute allows you to configure a JWKS for a custom domain name. After you configure a JWKS for a custom domain name, Function Compute searches the JWK public key that has the same key ID as the token and then uses the public key to perform signature verification on the token. You can leave the key ID of at most one JWK unspecified or set to an empty string in the JWKS of a custom domain name.

    The following table describes the signature algorithms that are supported by the JWT of Function Compute.

    Signature algorithm

    alg value

    RSASSA-PKCS1-V1_5

    RS256, RS384, or RS512

    RSASSA-PSS

    PS256, PS384, or PS512

    Elliptic Curve (ECDSA)

    ES256, ES384, or ES512

    HMAC

    HS256, HS384, or HS512

    EdDSA

    EdDSA

Important
  • The hash-based message authentication code (HMAC) signature algorithm uses symmetric encryption. Compared with asymmetric encryption, symmetric encryption is less secure. We recommend that you use an asymmetric encryption algorithm to improve security.

  • When you use an asymmetric encryption algorithm, you need to include only information about public keys in your JWT for security purposes.

  • We recommend that you use HTTPS to protect sensitive information such as tokens in requests. This helps prevent token leaks.

Configure JWT authentication

Prerequisites

A custom domain name is created. For more information, see Step 3: Add the custom domain name.

Procedure

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.

  2. In the top navigation bar, select the region where the custom domain name that you want to manage resides. On the Custom Domains page, click the custom domain name that you want to manage.

  3. In the upper-right corner of the page that appears, click Modify. On the Modify Custom Domain Name page, configure the following items and click Save.

    1. Set Authentication Method to JWT Authentication.

      image.png

    2. Configure the JWKS.

      To configure JWT authentication for a custom domain name, a valid JWKS is required. You can generate a JWKS by yourself. You can also search JSON Web Key Generator for an online generator, such as mkjwk.org, to generate a JWKS. If you have a private key in the PEM format, you can use a tool, such as jwx, to convert the format of the key into the JWKS format.

      In the following example, mkjwk.org is used to generate a JWKS. The following operations are performed: Configure the Key Use, Algorithm, and Show X.509 parameters and then click Generate. You must issue the JWT token in your code by using the private key (① in the following figure). Keep the private key confidential. You can copy the public key (② in the following figure) and enter it into the keys array of the JWKS in the Function Compute console.

      image

      The following sample code shows the configured JWKS:

      {
          "keys": [
              {
                  "alg": "RS256",
                  "e": "AQAB",
                  "kty": "RSA",
                  "n": "u1LWgoomekdOMfB1lEe96OHehd4XRNCbZRm96RqwOYTTc28Sc_U5wKV2umDzolfoI682ct2BNnRRahYgZPhbOCzHYM6i8sRXjz9Ghx3QHw9zrYACtArwQxrTFiejbfzDPGdPrMQg7T8wjtLtkSyDmCzeXpbIdwmxuLyt_ahLfHelr94kEksMDa42V4Fi5bMW4cCLjlEKzBEHGmFdT8UbLPCvpgsM84JK63e5ifdeI9NdadbC8ZMiR--dFCujT7AgRRyMzxgdn2l-nZJ2ZaYzbLUtAW5_U2kfRVkDNa8d1g__2V5zjU6nfLJ1S2MoXMgRgDPeHpEehZVu2kNaSFvDUQ",
                  "use": "sig"
              }
          ]
      }
    3. Configure the JWT token.

      Select the read position and the name of the token. You can set the Read Position parameter to Header, Cookie, Query Parameters, or Form Parameters. If you set the Read Position parameter to Header, you must specify a prefix for the header. When Function Compute obtains the token, the prefix is removed.

      image.png

    4. Configure JWT claim conversion.

      In the JWT Claim Conversion section, select the position to pass parameters to the function, the original name of the parameter, and the new name of the parameter after it is passed to the function. You can set Mapping Parameter Position to Header, Cookie, Query Parameters, or Form Parameters.

      image.png

Verify the result

Enter the custom domain name and token in the test tool based on the JWT configurations of the custom domain name to check whether the domain name can be used to access functions. In this topic, Postman is used.

  1. Use the private key that is generated in Configure JWT authentication to create a JWT token.

  2. Use Postman to check whether the custom domain name can be used to access functions.

    1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains. On the Custom Domains page, find the custom domain name that you want to manage.

    2. Configure the parameters of the token in the headers of Postman. Example:

      Parameter

      Value

      Description

      Key

      Authentication

      The name of the parameter that you configured in the JWT Token Configuration section.

      Value

      Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9uIFNub3ciLCJhZG1pbiI6dHJ1ZSwiZXhwIjo0ODI5NTk3NjQxfQ.eRcobbpjAd3OSMxcWbmbicOTLjO2vuLR9F2QZMK4rz1JqfSRHgwQVqNxcfOIO9ckDMNlF_3jtdfCfvXfka-phJZpHmnaQJxmnOA8zA3R4wF4GUQdz5zkt74cK9jLAXpokwrviz2ROehwxTCwa0naRd_N9eFhvTRnP3u7L0xn3ll4iOf8Q4jS0mVLpjyTa5WiBkN5xi9hkFxd__p98Pah_Yf0hVQ2ldGSyTtAMmdM1Bvzad-kdZ_wW0jcctIla9bLnOo-Enr14EsGvziMh_QTZ3HQtJuToSKZ11xkNgaz7an5de6PuF5ISXQzxigpFVIkG765aEDVtEnFkMO0xyPGLg

      The bearer token that you specified for the Remove Prefix parameter in the JWT Token Configuration section and the JWT token generated in the previous step. Leave a space between the bearer token and the JWT token.

    3. Click Send to view the returned information. image.pngnametofunction is the name of the parameter after the claim is passed to the function.

FAQ

Why is "invalid or expired jwt" returned when I access a custom domain name after I enable JWT authentication for the domain name?

The message indicates that JWT authentication failed. The following items list the possible causes:

  • The signature or format of your token is invalid.

  • Your token has expired.

  • The key ID of your token does not match the JWKS that you configured for your custom domain name, or the matched JWK is not accurate.

Why is "the jwt token is missing" returned when I access a custom domain name after I enable JWT authentication for the custom domain name?

The message indicates that Function Compute cannot find the token based on the configurations of the JWT token of the custom domain name. Check whether the token is contained in the request or the read position or name is correctly specified. If you set the Read Position parameter in the JWT Token Configuration section to Header, you must add the value of the Remove Prefix parameter and leave a space between the value and the JWT token when you configure the token. Otherwise, an error is returned.

Am I charged for JWT authentication?

No, you are not charged for JWT authentication. By default, you are charged for gateway-related features provided by Function Compute based on the number of function invocations. Therefore, you are not charged for JWT authentication, regardless of whether you enable the feature.