OIDC / OAuth2 Gateway Auth

Validate JWT Bearer tokens from any OIDC provider (Auth0, Keycloak, Google, Okta, etc.) at the gateway level — before requests reach your backend. No SDK changes required.

How It Works

Nolxy fetches the OIDC discovery document from your provider, downloads the JWKS (JSON Web Key Set), and verifies the JWT signature cryptographically. No shared secrets — only asymmetric key verification (RS256, RS384, RS512, ES256, ES384, ES512).

  1. Client sends Authorization: Bearer <token>
  2. Nolxy fetches /.well-known/openid-configuration (cached 1h)
  3. JWKS keys are fetched and cached (1h, auto-rotated on kid miss)
  4. Signature, issuer, audience, expiry, and scopes are validated
  5. Configured claims are injected as headers to the upstream

Configuration

{
  "oidcAuth": {
    "issuer": "https://accounts.google.com",
    "audience": "https://api.yourapp.com",
    "requiredScopes": ["read:data"],
    "clockSkewSeconds": 30,
    "claimHeaders": {
      "sub": "X-User-Id",
      "email": "X-User-Email",
      "roles": "X-User-Roles"
    }
  }
}

Supported Algorithms

RS256
RS384
RS512
ES256
ES384
ES512

HS256 (shared secret) is intentionally not supported — it is insecure for gateway-level auth.

Claim Injection

Validated JWT claims can be forwarded to your upstream as HTTP headers. This lets your backend trust the gateway's authentication without re-validating the token.

Dot notation is supported for nested claims: "user.id" extracts payload.user.id.

Key Rotation

If a JWT references a kid (key ID) not in the cached JWKS, Nolxy automatically invalidates the JWKS cache and fetches fresh keys. This handles provider key rotation transparently with no downtime.

Plan Requirements

OIDC / OAuth2 Gateway Auth is available on Business plans only.

Service AccountsRequest Aggregation