API v4.2.2 (#43)

* njs bugfix

* 20240226-01 Commit

* 20240226-02 Commit

* 20240226-03 Commit

* 20240226-04 Commit

* 20240226-05 Commit

* 20240229-01 Commit
Added client JWT-based authorization

* 20240229-02 Commit

* 20240206-01 Commit

* 20240206-02 Commit

* 20240206-03 Commit

* 20240206-03 Commit

FEATURES.md

@@ -53,7 +53,7 @@ Client-side authentication profiles to be defined under `.declaration.http.authe
     "jwt": {
         "realm": "<JWT_AUTHENTICATION_REALM>",
         "key": "<JWT_KEY>|<JWT_KEY_URL>",
-        "cachetime": <JWT_KEY_CACHETIME_IN_SECONDS>,
+        "cachetime": <OPTIONAL_JWT_KEY_CACHETIME_IN_SECONDS>,
         "token_location": "<OPTIONAL_TOKEN_LOCATION_AS_NGINX_VARIABLE>"
     }
 }
@@ -72,6 +72,36 @@ Client-side authentication profiles to be defined under `.declaration.http.authe
 }
 ```
 
+### Client authorization
+
+| Type | Description          | API v4.0 | API v4.1 | API v4.2 | Notes                                                                                                                                                                           |
+|------|----------------------|----------|----------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| jwt  | Java Web Token (JWT) |          |          | X        | Based on JWT claims. Supported under <li>.declaration.http.server[]</li><li>.declaration.http.server[].location[]</li><li>.declaration.http.server[].location[].apigateway</li> |
+
+#### Examples
+
+Client-side authorization profiles to be defined under `.declaration.http.authorization`
+
+- jwt client authorization profile
+
+ ```json
+{
+  "name": "<PROFILE_NAME>",
+  "type": "jwt",
+  "jwt": {
+    "claims": [
+      {
+        "name": "<CLAIM_NAME>",
+        "value": [
+          "<AUTHORIZED_VALUE_OR_REGEXP>"
+        ],
+        "errorcode": <OPTIONAL_ERROR_CODE_401_OR_403>
+      }
+    ]
+  }
+}
+```
+
 ### Upstream and Source of truth authentication
 
 | Type         | Description                                  | API v4.0 | API v4.1 | API v4.2 | Notes                                                                                  |

README.md

@@ -20,6 +20,7 @@ Use cases include:
   - `http` snippets, upstreams, servers, locations
   - `stream` snippets, upstreams, servers
   - Swagger / OpenAPI schemas
+  - NGINX Javascript files
 
 ## Requirements
 

USAGE-v4.2.md

@@ -115,9 +115,14 @@ Declaration path `.declaration.http.servers[].locations[].apigateway` defines th
 - `api_gateway.server_url` - the base URL of the upstream server
 - `developer_portal.enabled` - enable/disable Developer portal provisioning
 - `developer_portal.uri` - the trailing part of the Developer portal URI, this is appended to `.declaration.http.servers[].locations[].uri`. If omitted it defaults to `devportal.html`
-- `authentication` - optional, used to enforce JWT authentication at the API Gateway level
-- `authentication.client` - JWT authentication profile name
-- `authentication.enforceOnPaths` - if set to `true` JWT authentication is enforced on all API endpoints listed under `authentication.paths`. if set to `false` JWT authentication is enforced on all API endpoints but those listed under `authentication.paths`
+- `authentication` - optional, used to enforce authentication at the API Gateway level
+- `authentication.client[]` - authentication profile names
+- `authentication.enforceOnPaths` - if set to `true` authentication is enforced on all API endpoints listed under `authentication.paths`. if set to `false` authentication is enforced on all API endpoints but those listed under `authentication.paths`
+- `authentication.paths` - paths to enforce authentication
+- `authorization[]` - optional, used to enforce authorization
+- `authorization[].profile` - authorization profile name
+- `authorization[].enforceOnPaths` - if set to `true` authorizaion is enforced on all API endpoints listed under `authorization.paths`. if set to `false` authorization is enforced on all API endpoints but those listed under `authorization[].paths`
+- `authorization[].paths` - paths to enforce authorization
 - `rate_limit` - optional, used to enforce rate limiting at the API Gateway level
 - `rate_limit.enforceOnPaths` - if set to `true` rate limiting is enforced on all API endpoints listed under `rate_limit.paths`. if set to `false` rate limiting is enforced on all API endpoints but those listed under `rate_limit.paths`
 
@@ -192,6 +197,16 @@ is:
                                         "/user/logout"
                                     ]
                                 },
+                                "authorization": [
+                                    {
+                                        "profile": "JWT role based authorization",
+                                        "enforceOnPaths": true,
+                                        "paths": [
+                                            "/user/login",
+                                            "/user/logout"
+                                        ]
+                                    }
+                                ],
                                 "rate_limit": [
                                     {
                                         "profile": "petstore_ratelimit",
@@ -245,7 +260,23 @@ is:
                         }
                     }
                 ]
-            }
+            },
+            "authorization": [
+                {
+                    "name": "JWT role based authorization",
+                    "type": "jwt",
+                    "jwt": {
+                        "claims": [
+                            {
+                                "name": "roles",
+                                "value": [
+                                    "~(devops)"
+                                ]
+                            }
+                        ]
+                    }
+                }
+            ]
         }
     }
 }