HAProxy Enterprise Documentation 1.8r2

JSON Web Token Overview

HAProxy Enterprise supports the OAuth 2.0 authorization protocol, which uses JSON Web Tokens (JWTs) to convey a client's level of access for a service without requiring their password.

JWTs, which contain a client's permissions but not their identity, serve as a client's proof of membership and encapsulate the fine-grained permissions they have. A JWT is a payload of base64-encoded JSON data, cryptographically signed by the party that authenticated the client. You can require that each HTTP request come with a JWT to verify whether the requested action should be allowed.

To process OAuth JWTs, you need the haproxy-lua-oauth module. Clone the LUA OAuth repository and follow the instructions for installing the module:


HAProxy Enterprise provides configuration directives that cover all of the functionality needed to support OAuth 2.0, including checking that a token:

  • has not expired

  • was issued and signed by a trusted authentication service

  • is meant for your service and not someone else's

  • contains any necessary claims to grant a client a specific type of access (for example, read or write access)

HAProxy Enterprise, which sits in front of your service, verifies that the token is genuine and checks it to see which permissions the client should have. You can either have the proxy forward those permissions on to your service via HTTP headers or make a decision within the proxy itself to deny the request then and there. For example, if the client is requesting to update data with a PUT request, but they do not have the write permission, you can have the proxy deny the request.

Next up

Getting a Token