Nexus validates JWTs using JWKS (JSON Web Key Sets), allowing integration with any standard SSO provider such as Auth0, Keycloak, Okta, or Azure AD.Documentation Index
Fetch the complete documentation index at: https://docs.draskencloud.com/llms.txt
Use this file to discover all available pages before exploring further.
Configure an App with SSO
Provider JWKS URLs
| Provider | JWKS URL |
|---|---|
| Auth0 | https://<tenant>.auth0.com/.well-known/jwks.json |
| Keycloak | https://<host>/realms/<realm>/protocol/openid-connect/certs |
| Okta | https://<tenant>.okta.com/oauth2/default/v1/keys |
| Azure AD | https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys |
https://www.googleapis.com/oauth2/v3/certs |
Auth Policy Fields
| Field | Description |
|---|---|
jwks_url | URL of the JWKS endpoint — keys are fetched and cached automatically |
issuer | Expected iss claim value — requests with a different issuer are rejected |
audience | Expected aud claim value — your app’s client ID |
required_claims | List of claim names that must be present in the token |
forward_claims_as_headers | Map of claim name → header name forwarded to the backend |
jwt_secret_env | Env var containing HS256 secret (alternative to JWKS) |
jwt_public_key_env | Env var containing RS256 PEM public key (alternative to JWKS) |
How it Works
- Client sends request with
Authorization: Bearer <token> - Nexus fetches signing keys from
jwks_url(cached perGATEWAY_JWKS__CACHE_TTL_SECS) - Token signature, expiry, issuer, and audience are validated
- Required claims are checked
- Matched claims are injected as headers on the backend request
- Request is proxied to the backend