My App
ServiceAPI Gateway

JWT validation

Public route, protected route và token-scope guard trong Go API Gateway.

JWT validation

Nguồn key

Gateway validate client JWT bằng Identity JWKS.

Trong local compose:

CENTEROS_JWT_JWKS_URL
→ http://centeros-identity-service:8081/.well-known/jwks.json

Gateway expected issuer/algorithm lấy từ env var:

  • CENTEROS_JWT_EXPECTED_ISSUER
  • CENTEROS_JWT_EXPECTED_ALGORITHM

Không đặt private key hoặc token TTL ở Gateway. Những phần đó thuộc Identity Service.

Public routes

Source IsPublicRequest xác nhận các request này bypass auth:

RouteGhi chú
OPTIONSpublic; dùng cho CORS preflight
GET /healthzlocal Gateway health
GET /readyzlocal readiness, chưa là checkpoint closed
GET /actuator/healthlocal handler, chưa là checkpoint closed
GET /actuator/health/livenesslocal handler, chưa là checkpoint closed
GET /actuator/health/readinesslocal handler, chưa là checkpoint closed
GET /actuator/infolocal handler, chưa là checkpoint closed
POST /api/auth/loginproxy tới Identity Service
POST /api/auth/refreshproxy tới Identity Service
POST /api/auth/logoutcode public, chưa là checkpoint closed
POST /api/payments/webhooks/payoswebhook public, chưa là checkpoint closed

Checkpoint hiện tại chỉ đóng GET /healthz, POST /api/auth/login, POST /api/auth/refresh, POST /api/auth/select-branch.

Protected routes

Protected routes cần Bearer token trong Authorization.

Gateway reject:

  • missing token
  • malformed token
  • invalid signature
  • unsupported alg
  • wrong issuer
  • refreshToken dùng như access token
  • non-access-like token

Route context guard

Route familyToken/context rule
/api/auth/select-branchaccount token required
/api/auth/meaccount token hoặc branch token
/api/system/*system context required
/api/admin/catalog/*system context required
/api/admin/navigation/*system context required
/api/workspaces/*branch/platform context required
/api/setup/*branch/platform context required
/api/navigation/*branch/platform context required
/api/entitlements/*branch/platform context required
/api/payments/*branch/platform context required

Normal business APIs dùng branch-scoped accessToken.

accountAccessToken dùng cho select/switch branch. Không dùng accountAccessToken cho normal business APIs.

Sau validation

Nếu token hợp lệ và route context pass:

JWT claims
→ Gateway trusted context
→ trusted headers
→ downstream service

Gateway chỉ làm coarse route guard. Domain permission, capability và entitlement check thuộc downstream service.

TODO

  • Chưa đóng: validation docs cho route families ngoài auth/current-context.
  • Chưa đóng: system route behavior bằng Bruno/checkpoint.

Routes API Gateway

Route map hiện tại của Go API Gateway cho auth và current-context.

Trusted headers

Trusted headers mà Go API Gateway inject cho downstream services.

On this page

JWT validationNguồn keyPublic routesProtected routesRoute context guardSau validationTODO