JWT & Cookies#
Auth middleware issues and validates JWT session tokens stored in HTTP cookies.
These tokens provide stateless authentication on every proxied request.
Token lifecycle#
Issued — when a user authenticates via /auth (OIDC) or /bearer-auth (bearer token exchange).
Validated — on every request via /verify.
Refreshed — transparently when nearing expiration (if refresh is enabled and access review passes).
Expired — after
jwtExpirationelapses, requiring re-authentication.
Token claims#
Claim |
Description |
|---|---|
|
Kubernetes username |
|
Group memberships |
|
Kubernetes user UID |
|
Additional user info from the K8s auth layer (e.g. OIDC claims, impersonation metadata) |
|
Workspace path prefix this token authorizes |
|
Host this token is valid for |
|
|
|
Issuer — |
|
Audience — |
|
Expiration time |
|
Issued-at time |
Cookie configuration#
Setting |
Default |
Description |
|---|---|---|
|
|
Cookie name |
|
|
HTTPS only |
|
|
Not accessible to JavaScript |
|
|
CSRF protection |
|
24 hours |
Browser-side expiry |
Auth middleware scopes the cookies to the workspace path — each workspace gets its own cookie. This prevents cookies from one workspace being sent with requests to another.
Token refresh#
Setting |
Default |
Description |
|---|---|---|
|
|
Enable transparent token refresh |
|
15 minutes |
Refresh if token expires within this window |
|
12 hours |
Maximum total session duration before forced re-authentication |
During a refresh, Auth middleware re-checks authorization via ConnectionAccessReview. If the user’s access has been revoked (workspace deleted, access type changed to OwnerOnly, RBAC removed), the refresh fails and the cookie is cleared.
Signing#
Auth middleware uses HMAC symmetric signing with keys stored in a Kubernetes Secret (JWT_SECRET_NAME, default: authmiddleware-secrets). The middleware watches this Secret for changes — when the rotator adds a new key, each auth middleware pod picks it up without restart.
Each token carries a kid (key ID) in its JWT header. On validation, the middleware looks up the corresponding key by kid — so multiple keys can coexist during rotation without trial-and-error.
Separation from Extension API#
Auth middleware and Extension API each have their own:
JWT signing Secret
Rotator CronJob
Issuer/audience values
They may run in different namespaces. Auth middleware’s tokens (type: session, issuer: workspaces-auth) are distinct from the Extension API’s tokens (type: bootstrap, issuer: workspaces-controller).