Open
Conversation
github-actions
bot
added
documentation
✅ Deploy Preview will be available once build job completes!
|
sjberman
reviewed
Mar 10, 2026
| - **Secret type**: The secret must be of type `Opaque` with a key named `auth` containing the JWKS data in JSON format. | ||
| - **realm**: (Optional) The realm parameter sets the authentication realm displayed in the WWW-Authenticate header when authentication fails. | ||
| - **keyCache**: (Optional) Specifies how long NGINX Plus caches the JWKS keys in memory. Valid values include time units like `10s`, `1m`, `1h`. This reduces the need to re-read the secret file for each request. If not specified, keys are cached indefinitely until NGINX is reloaded. | ||
|
|
Contributor
There was a problem hiding this comment.
I think we should also mention (either now or once we support remote), that this example uses File and what that means.
salonichf5
reviewed
Mar 11, 2026
|
|
||
| JWT authentication in NGINX Gateway Fabric validates JSON Web Tokens using JSON Web Key Sets (JWKS). The JWKS contains the public keys used to verify the JWT signatures. When a request arrives with a JWT in the `Authorization` header, NGINX Plus validates the token against the configured JWKS before forwarding the request to your application. | ||
|
|
||
| This guide demonstrates JWT authentication using a local JWKS file stored in a Kubernetes Secret. |
Contributor
There was a problem hiding this comment.
should we mention explicitly that remote JWT is excluded currently to avoid any confusion
salonichf5
reviewed
Mar 11, 2026
Comment on lines
+225
to
+226
| - **realm**: (Optional) The realm parameter sets the authentication realm displayed in the WWW-Authenticate header when authentication fails. | ||
| - **keyCache**: (Optional) Specifies how long NGINX Plus caches the JWKS keys in memory. Valid values include time units like `10s`, `1m`, `1h`. This reduces the need to re-read the secret file for each request. If not specified, keys are cached indefinitely until NGINX is reloaded. |
Contributor
There was a problem hiding this comment.
Suggested change
| - **realm**: (Optional) The realm parameter sets the authentication realm displayed in the WWW-Authenticate header when authentication fails. | |
| - **keyCache**: (Optional) Specifies how long NGINX Plus caches the JWKS keys in memory. Valid values include time units like `10s`, `1m`, `1h`. This reduces the need to re-read the secret file for each request. If not specified, keys are cached indefinitely until NGINX is reloaded. | |
| - **keyCache**: (Optional) Controls how long NGINX Plus caches the JWKS keys in memory. Supported values use standard time units such as 10s, 1m, or 1h. Caching avoids reloading the JWKS from the Secret for every request, improving performance. If not specified, the keys remain cached indefinitely and are only refreshed when NGINX is reloaded. |
sounds clearer I think
salonichf5
approved these changes
Mar 11, 2026
JTorreG
reviewed
Mar 11, 2026
Comment on lines
+27
to
+31
| ## Setup | ||
|
|
||
| In this part of the document, you will set up several resources in your cluster to demonstrate usage of the AuthenticationFilter CRD with JWT authentication. | ||
|
|
||
| ## Deploy sample applications |
Contributor
There was a problem hiding this comment.
something is weird here.
There is a H2 header about Setup with a sentence followed with another H2 header for Deploy sample applications
Is the "Deploy ..." section part of Setup?
If it is not a subsection, the text under Setup does not make sense by itself.
If it is a subsection all the heading levels after Setup need to be reviewed
shaun-nx
reviewed
Mar 19, 2026
Comment on lines
+207
to
+218
| apiVersion: gateway.nginx.org/v1alpha1 | ||
| kind: AuthenticationFilter | ||
| metadata: | ||
| name: jwt-auth | ||
| spec: | ||
| type: JWT | ||
| jwt: | ||
| file: | ||
| secretRef: | ||
| name: jwt-auth | ||
| realm: "Restricted jwt-auth" | ||
| keyCache: "1h" |
Contributor
There was a problem hiding this comment.
Suggested change
| apiVersion: gateway.nginx.org/v1alpha1 | |
| kind: AuthenticationFilter | |
| metadata: | |
| name: jwt-auth | |
| spec: | |
| type: JWT | |
| jwt: | |
| file: | |
| secretRef: | |
| name: jwt-auth | |
| realm: "Restricted jwt-auth" | |
| keyCache: "1h" | |
| apiVersion: gateway.nginx.org/v1alpha1 | |
| kind: AuthenticationFilter | |
| metadata: | |
| name: jwt-auth | |
| spec: | |
| type: JWT | |
| jwt: | |
| source: File | |
| file: | |
| secretRef: | |
| name: jwt-auth | |
| realm: "Restricted jwt-auth" | |
| keyCache: "1h" |
Contributor
There was a problem hiding this comment.
We need to add source: File here otherwise we get this error:
The AuthenticationFilter "jwt-auth" is invalid:
* spec.jwt.source: Required value
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩