Links
Comment on page

Authentication & Authorization

Set up authentication and authorization for incoming requests
Cosmo router supports authenticating incoming requests using JWKS authentication. The JSON Web Key Set (JWKS) is a set of keys that contains the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.
To enable an authentication provider, add it to your configuration:
# config.yaml
authentication:
providers:
- name: My Auth Provider # Optional, used for error messages and diagnostics
jwks: # JWKS provider configuration
url: https://example.com/.well-known/jwks.json # URL to load the JWKS from (Authorization server)
header_names: [Authorization] # Optional, Authorization is the default value
header_value_prefixes: [Bearer] # Optional, Bearer is the default value
refresh_interval: 1m # Optional, How often the JWK is refreshed
Using multiple authentication providers is also supported. If authentication with any of the providers succeeds, the claims from the token are decoded and made available through the request pipeline. Notice that providers are tried in the same order as they are defined in the configuration and once a provider authenticates a request, no other providers are tried.

Enforce authentication

By default, requests without authentication information are allowed. Only requests with invalid authentication information (e.g. an incorrectly signed token) produce a 403 Forbidden response. To disable anonymous requests, use the Authorization configuration:
# config.yaml
authorization:
require_authentication: true
This causes requests without authorization information to produce a 401 Unauthorized
Authentication information is also available to custom modules. See Access Authenticated Information.

Forwarding authentication headers

By default, the router won't forward authentication headers to subgraphs, but if desired this can be configured using Proxy capabilities.