Cloudflare 中文文档
API Shield
Cloudflare 中文文档
API Shield
编辑这个页面
跳转官方原文档
Set theme to dark (⇧+D)
  1. Products
  2. API Shield
  3. ...
  4. JSON Web Tokens Validation
  5. Configure the Worker

Configure the Worker for JWT Validation

Use a Worker to automatically keep your identity provider’s latest public key in the JWT Validation configuration.

​​ Prerequisites

​​ Process

  1. Manually query the JWKs endpoint to ensure the JWKs exists in the expected location and format.
  2. Create a Worker to automate updating of the JWKs.
  3. Create a Worker Secret to house the API key used for updating API Shield settings.
  4. Schedule the Worker to automatically update the JWKs.

​​ Manually query the JWKs endpoint

Find your Identity Provider’s URL and fetch the keys using curl and jq. Your URL may return more than just the issuer’s keys, so Cloudflare recommends using jq to filter the response to only return the keys. You must update the provided Worker sample code if your JWKs do not have a keys object.

​​ Configure the Worker

  1. Create a new Worker.
  2. Copy and paste the example code below into your new Worker, completely replacing any code that already exists.
  3. Replace the current zone ID with your zone ID.
  4. Replace the current Token Validation Configuration ID with your Token Validation Configuration.
  5. Replace the current identity provider’s URL with your identity provider’s key URL.
  1. If your JWKs URL returns the keys in any JSON object other than keys, update the fetchCredentials() function to return only the key data.
  2. Select Create > Deploy.
  3. In the Worker settings, go to Variables and add an environment variable named CF_API_TOKEN with the value of the API token that you have created.
  4. In the Worker Triggers, assign a cron trigger to the Worker. Cloudflare recommends a frequent update interval to ensure you always have the latest keys and that an immediate key rotation by your identity provider causes minimal downtime.