stop ticker

adjust other struct names

JWTToken -> JWTConfig
jwtAuthState -> jwtCache

and rename jwtState global var to jwtAuthCache

app/vmauth/auth_config.go

@@ -65,10 +65,11 @@ type AuthConfig struct {
 type UserInfo struct {
 	Name string `yaml:"name,omitempty"`
 
-	BearerToken string `yaml:"bearer_token,omitempty"`
-	AuthToken   string `yaml:"auth_token,omitempty"`
-	Username    string `yaml:"username,omitempty"`
-	Password    string `yaml:"password,omitempty"`
+	BearerToken string     `yaml:"bearer_token,omitempty"`
+	JWT         *JWTConfig `yaml:"jwt,omitempty"`
+	AuthToken   string     `yaml:"auth_token,omitempty"`
+	Username    string     `yaml:"username,omitempty"`
+	Password    string     `yaml:"password,omitempty"`
 
 	URLPrefix              *URLPrefix  `yaml:"url_prefix,omitempty"`
 	DiscoverBackendIPs     *bool       `yaml:"discover_backend_ips,omitempty"`
@@ -799,6 +800,9 @@ var (
 	// authUsers contains the currently loaded auth users
 	authUsers atomic.Pointer[map[string]*UserInfo]
 
+	// jwt authentication cache
+	jwtAuthCache atomic.Pointer[jwtCache]
+
 	authConfigWG sync.WaitGroup
 	stopCh       chan struct{}
 )
@@ -838,6 +842,20 @@ func reloadAuthConfigData(data []byte) (bool, error) {
 		return false, fmt.Errorf("failed to parse auth config: %w", err)
 	}
 
+	jui, err := parseJWTUsers(ac)
+	if err != nil {
+		return false, fmt.Errorf("failed to parse JWT users from auth config: %w", err)
+	}
+	jwtc := &jwtCache{
+		users:          jui,
+		verified:       make(map[string]jwtVerified),
+		removeExpiredT: time.NewTicker(time.Minute),
+	}
+	jcPrev := jwtAuthCache.Load()
+	if jcPrev != nil {
+		jcPrev.removeExpiredT.Stop()
+	}
+
 	m, err := parseAuthConfigUsers(ac)
 	if err != nil {
 		return false, fmt.Errorf("failed to parse users from auth config: %w", err)
@@ -857,6 +875,7 @@ func reloadAuthConfigData(data []byte) (bool, error) {
 	authConfig.Store(ac)
 	authConfigData.Store(&data)
 	authUsers.Store(&m)
+	jwtAuthCache.Store(jwtc)
 
 	return true, nil
 }
@@ -881,6 +900,9 @@ func parseAuthConfig(data []byte) (*AuthConfig, error) {
 		if ui.BearerToken != "" {
 			return nil, fmt.Errorf("field bearer_token can't be specified for unauthorized_user section")
 		}
+		if ui.JWT != nil {
+			return nil, fmt.Errorf("field jwt can't be specified for unauthorized_user section")
+		}
 		if ui.AuthToken != "" {
 			return nil, fmt.Errorf("field auth_token can't be specified for unauthorized_user section")
 		}
@@ -927,10 +949,17 @@ func parseAuthConfigUsers(ac *AuthConfig) (map[string]*UserInfo, error) {
 	}
 	for i := range uis {
 		ui := &uis[i]
+		// users with jwt tokens are parsed by parseJWTUsers function.
+		// the function also checks that users with jwt tokens do not have auth tokens, bearer tokens, usernames and passwords.
+		if ui.JWT != nil {
+			continue
+		}
+
 		ats, err := getAuthTokens(ui.AuthToken, ui.BearerToken, ui.Username, ui.Password)
 		if err != nil {
 			return nil, err
 		}
+
 		for _, at := range ats {
 			if uiOld := byAuthToken[at]; uiOld != nil {
 				return nil, fmt.Errorf("duplicate auth token=%q found for username=%q, name=%q; the previous one is set for username=%q, name=%q",

app/vmauth/auth_config_test.go

@@ -621,6 +621,22 @@ unauthorized_user:
 			},
 		},
 	})
+
+	// skip user info with jwt, it is parsed by parseJWTUsers
+	f(`
+users:
+- username: foo
+  password: bar
+  url_prefix: http://aaa:343/bbb
+- jwt: {skip_verify: true}
+  url_prefix: http://aaa:343/bbb
+`, map[string]*UserInfo{
+		getHTTPAuthBasicToken("foo", "bar"): {
+			Username:  "foo",
+			Password:  "bar",
+			URLPrefix: mustParseURL("http://aaa:343/bbb"),
+		},
+	}, nil)
 }
 
 func TestParseAuthConfigPassesTLSVerificationConfig(t *testing.T) {

app/vmauth/jwt.go

@@ -0,0 +1,230 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/jwt"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
+)
+
+type JWTConfig struct {
+	PublicKeys     []string `yaml:"public_keys,omitempty"`
+	PublicKeyFiles []string `yaml:"public_key_files,omitempty"`
+	SkipVerify     bool     `yaml:"skip_verify,omitempty"`
+
+	verifierPool *jwt.VerifierPool
+}
+
+func parseJWTUsers(ac *AuthConfig) ([]*UserInfo, error) {
+	jui := make([]*UserInfo, 0, len(ac.Users))
+	for _, ui := range ac.Users {
+		jwtToken := ui.JWT
+		if jwtToken == nil {
+			continue
+		}
+
+		if ui.AuthToken != "" || ui.BearerToken != "" || ui.Username != "" || ui.Password != "" {
+			return nil, fmt.Errorf("auth_token, bearer_token, username and password cannot be specified if jwt is set")
+		}
+		if len(jwtToken.PublicKeys) == 0 && len(jwtToken.PublicKeyFiles) == 0 && !jwtToken.SkipVerify {
+			return nil, fmt.Errorf("jwt must contain at least a single public key, public_key_files or have skip_verify=true")
+		}
+
+		if len(jwtToken.PublicKeys) > 0 || len(jwtToken.PublicKeyFiles) > 0 {
+			keys := make([]any, 0, len(jwtToken.PublicKeys)+len(jwtToken.PublicKeyFiles))
+
+			for i := range jwtToken.PublicKeys {
+				k, err := jwt.ParseKey([]byte(jwtToken.PublicKeys[i]))
+				if err != nil {
+					return nil, err
+				}
+				keys = append(keys, k)
+			}
+
+			for _, filePath := range jwtToken.PublicKeyFiles {
+				keyData, err := os.ReadFile(filePath)
+				if err != nil {
+					return nil, fmt.Errorf("cannot read public key from file %q: %w", filePath, err)
+				}
+				k, err := jwt.ParseKey(keyData)
+				if err != nil {
+					return nil, fmt.Errorf("cannot parse public key from file %q: %w", filePath, err)
+				}
+				keys = append(keys, k)
+			}
+
+			vp, err := jwt.NewVerifierPool(keys)
+			if err != nil {
+				return nil, err
+			}
+
+			jwtToken.verifierPool = vp
+		}
+
+		if err := ui.initURLs(); err != nil {
+			return nil, err
+		}
+
+		metricLabels, err := ui.getMetricLabels()
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse metric_labels: %w", err)
+		}
+		ui.requests = ac.ms.GetOrCreateCounter(`vmauth_user_requests_total` + metricLabels)
+		ui.requestErrors = ac.ms.GetOrCreateCounter(`vmauth_user_request_errors_total` + metricLabels)
+		ui.backendRequests = ac.ms.GetOrCreateCounter(`vmauth_user_request_backend_requests_total` + metricLabels)
+		ui.backendErrors = ac.ms.GetOrCreateCounter(`vmauth_user_request_backend_errors_total` + metricLabels)
+		ui.requestsDuration = ac.ms.GetOrCreateSummary(`vmauth_user_request_duration_seconds` + metricLabels)
+		mcr := ui.getMaxConcurrentRequests()
+		ui.concurrencyLimitCh = make(chan struct{}, mcr)
+		ui.concurrencyLimitReached = ac.ms.GetOrCreateCounter(`vmauth_user_concurrent_requests_limit_reached_total` + metricLabels)
+		_ = ac.ms.GetOrCreateGauge(`vmauth_user_concurrent_requests_capacity`+metricLabels, func() float64 {
+			return float64(cap(ui.concurrencyLimitCh))
+		})
+		_ = ac.ms.GetOrCreateGauge(`vmauth_user_concurrent_requests_current`+metricLabels, func() float64 {
+			return float64(len(ui.concurrencyLimitCh))
+		})
+
+		rt, err := newRoundTripper(ui.TLSCAFile, ui.TLSCertFile, ui.TLSKeyFile, ui.TLSServerName, ui.TLSInsecureSkipVerify)
+		if err != nil {
+			return nil, fmt.Errorf("cannot initialize HTTP RoundTripper: %w", err)
+		}
+		ui.rt = rt
+
+		jui = append(jui, &ui)
+	}
+
+	// the limitation will be lifted once claim based matching will be implemented
+	if len(jui) > 1 {
+		return nil, fmt.Errorf("multiple users with JWT tokens are not supported; found %d users", len(jui))
+	}
+
+	return jui, nil
+}
+
+func getUserInfoByJWTToken(ats []string) *UserInfo {
+	jc := jwtAuthCache.Load()
+	if len(jc.users) == 0 {
+		return nil
+	}
+
+	jc.removeExpired()
+
+	if jce, found := jc.getFirstVerified(ats); found {
+		return jce.ui
+	}
+
+	for _, at := range ats {
+		if strings.Count(at, ".") != 2 {
+			continue
+		}
+
+		at, _ = strings.CutPrefix(at, `http_auth:`)
+
+		tkn, err := jwt.NewToken(at, true)
+		if err != nil {
+			if *logInvalidAuthTokens {
+				logger.Infof("cannot parse jwt token: %s", err)
+			}
+			continue
+		}
+		if tkn.IsExpired(time.Now()) {
+			if *logInvalidAuthTokens {
+				logger.Infof("jwt token is expired")
+			}
+			continue
+		}
+
+		for _, ui := range jc.users {
+			if ui.JWT.SkipVerify {
+				return jc.addVerifiedIfNotExist(at, jwtVerified{ui: ui, tkn: tkn}).ui
+			}
+
+			if err := ui.JWT.verifierPool.Verify(tkn); err != nil {
+				if *logInvalidAuthTokens {
+					logger.Infof("cannot verify jwt token: %s", err)
+				}
+				continue
+			}
+
+			return jc.addVerifiedIfNotExist(at, jwtVerified{ui: ui, tkn: tkn}).ui
+		}
+	}
+
+	return nil
+}
+
+type jwtVerified struct {
+	ui  *UserInfo
+	tkn *jwt.Token
+}
+
+type jwtCache struct {
+	// users contain UserInfo`s from AuthConfig with JWTConfig set
+	users []*UserInfo
+
+	verifiedMux    sync.Mutex
+	verified       map[string]jwtVerified
+	removeExpiredT *time.Ticker
+}
+
+func (jc *jwtCache) getFirstVerified(ats []string) (jwtVerified, bool) {
+	jc.verifiedMux.Lock()
+	defer jc.verifiedMux.Unlock()
+
+	for _, at := range ats {
+		if strings.Count(at, ".") != 2 {
+			continue
+		}
+
+		at, _ = strings.CutPrefix(at, `http_auth:`)
+		jce, ok := jc.verified[at]
+		if !ok {
+			continue
+		}
+
+		if jce.tkn.IsExpired(time.Now()) {
+			if *logInvalidAuthTokens {
+				logger.Infof("jwt token is expired")
+			}
+			continue
+		}
+
+		return jce, true
+	}
+
+	return jwtVerified{}, false
+}
+
+func (jc *jwtCache) addVerifiedIfNotExist(at string, new jwtVerified) jwtVerified {
+	jc.verifiedMux.Lock()
+	defer jc.verifiedMux.Unlock()
+
+	jv, ok := jc.verified[at]
+	if !ok {
+		jc.verified[at] = new
+		jv = new
+	}
+
+	return jv
+}
+
+func (jc *jwtCache) removeExpired() {
+	select {
+	case <-jc.removeExpiredT.C:
+	default:
+		return
+	}
+
+	now := time.Now()
+	jc.verifiedMux.Lock()
+	for at, jui := range jc.verified {
+		if jui.tkn.IsExpired(now) {
+			delete(jc.verified, at)
+		}
+	}
+	jc.verifiedMux.Unlock()
+}

app/vmauth/jwt_test.go

@@ -0,0 +1,304 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestJWTParseAuthConfigFailure(t *testing.T) {
+	validRSAPublicKey := `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiX7oPWKOWRQsGFEWvwZO
+mL2PYsdYUsu9nr0qtPCjxQHUJgLfT3rdKlvKpPFYv7ZmKnqTncg36Wz9uiYmWJ7e
+IB5Z+fko8kVIMzarCqVvpAJDzYF/pUii68xvuYoK3L9TIOAeyCXv+prwnr2IH+Mw
+9AONzWbRrYoO74XyTE9vMU5qmI/L1VPk+PR8lqPOSptLvzsfoaIk2ED4yK2nRB+6
+st+k4nccPqbErqHc8aiXnXfugfnr6b+NPFYUzKsDqkymGOokVijrI8B3jNw6c6Do
+zphk+D3wgLsXYHfMcZbXIMqffqm/aB8Qg88OpFOkQ3rd2p6R9+hacnZkfkn3Phiw
+yQIDAQAB
+-----END PUBLIC KEY-----
+`
+	// ECDSA with the P-521 curve
+	validECDSAPublicKey := `-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAU9RmtkCRuYTKCyvLlDn5DtBZOHSe
+QTa5j9q/oQVpCKqcXVFrH5dgh0GL+P/ZhkeuowPzCZqntGf0+7wPt9OxSJcADVJm
+dv92m540MXss8zdHf5qtE0gsu2Ved0R7Z8a8QwGZ/1mYZ+kFGGbdQTlSvRqDySTq
+XOtclIk1uhc03oL9nOQ=
+-----END PUBLIC KEY-----
+`
+
+	f := func(s string, expErr string) {
+		t.Helper()
+		ac, err := parseAuthConfig([]byte(s))
+		if err != nil {
+			if expErr != err.Error() {
+				t.Fatalf("unexpected error; got %q; want %q", err.Error(), expErr)
+			}
+			return
+		}
+		users, err := parseJWTUsers(ac)
+		if err != nil {
+			if expErr != err.Error() {
+				t.Fatalf("unexpected error; got %q; want %q", err.Error(), expErr)
+			}
+			return
+		}
+		t.Fatalf("expecting non-nil error; got %v", users)
+	}
+
+	// unauthorized_user cannot be used with jwt
+	f(`
+unauthorized_user:
+  jwt: {skip_verify: true}
+  url_prefix: http://foo.bar
+`, `field jwt can't be specified for unauthorized_user section`)
+
+	// username and jwt in a single config
+	f(`
+users:
+- username: foo
+  jwt: {skip_verify: true}
+  url_prefix: http://foo.bar
+`, `auth_token, bearer_token, username and password cannot be specified if jwt is set`)
+	// bearer_token and jwt in a single config
+	f(`
+users:
+- bearer_token: foo
+  jwt: {skip_verify: true}
+  url_prefix: http://foo.bar
+`, `auth_token, bearer_token, username and password cannot be specified if jwt is set`)
+	// bearer_token and jwt in a single config
+	f(`
+users:
+- auth_token: "Foo token"
+  jwt: {skip_verify: true}
+  url_prefix: http://foo.bar
+`, `auth_token, bearer_token, username and password cannot be specified if jwt is set`)
+
+	// jwt public_keys or skip_verify must be set, part 1
+	f(`
+users:
+- jwt: {}
+  url_prefix: http://foo.bar
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
+
+	// jwt public_keys or skip_verify must be set, part 2
+	f(`
+users:
+- jwt: {public_keys: null}
+  url_prefix: http://foo.bar
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
+
+	// jwt public_keys or skip_verify must be set, part 3
+	f(`
+users:
+- jwt: {public_keys: []}
+  url_prefix: http://foo.bar
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
+
+	// jwt public_keys, public_key_files or skip_verify must be set
+	f(`
+users:
+- jwt: {public_key_files: []}
+  url_prefix: http://foo.bar
+`, `jwt must contain at least a single public key, public_key_files or have skip_verify=true`)
+
+	// invalid public key, part 1
+	f(`
+users:
+- jwt: {public_keys: [""]}
+  url_prefix: http://foo.bar
+`, `failed to parse key "": failed to decode PEM block containing public key`)
+
+	// invalid public key, part 2
+	f(`
+users:
+- jwt: {public_keys: ["invalid"]}
+  url_prefix: http://foo.bar
+`, `failed to parse key "invalid": failed to decode PEM block containing public key`)
+
+	// invalid public key, part 2
+	f(fmt.Sprintf(`
+users:
+- jwt: 
+    public_keys:
+    - %q
+    - %q
+    - "invalid"
+  url_prefix: http://foo.bar
+`, validRSAPublicKey, validECDSAPublicKey), `failed to parse key "invalid": failed to decode PEM block containing public key`)
+
+	// several jwt users
+	// invalid public key, part 2
+	f(fmt.Sprintf(`
+users:
+- jwt: 
+    public_keys:
+    - %q
+  url_prefix: http://foo.bar
+- jwt:
+    public_keys:
+    - %q
+  url_prefix: http://foo.bar
+`, validRSAPublicKey, validECDSAPublicKey), `multiple users with JWT tokens are not supported; found 2 users`)
+
+	// public key file doesn't exist
+	f(`
+users:
+- jwt: 
+    public_key_files: 
+    - /path/to/nonexistent/file.pem
+  url_prefix: http://foo.bar
+`, "cannot read public key from file \"/path/to/nonexistent/file.pem\": open /path/to/nonexistent/file.pem: no such file or directory")
+
+	// public key file invalid
+	// auth with key from file
+	publicKeyFile := filepath.Join(t.TempDir(), "a_public_key.pem")
+	if err := os.WriteFile(publicKeyFile, []byte(`invalidPEM`), 0o644); err != nil {
+		t.Fatalf("failed to write public key file: %s", err)
+	}
+	f(`
+users:
+- jwt: 
+    public_key_files: 
+    - `+publicKeyFile+`
+  url_prefix: http://foo.bar
+`, "cannot parse public key from file \""+publicKeyFile+"\": failed to parse key \"invalidPEM\": failed to decode PEM block containing public key")
+}
+
+func TestJWTParseAuthConfigSuccess(t *testing.T) {
+	validRSAPublicKey := `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiX7oPWKOWRQsGFEWvwZO
+mL2PYsdYUsu9nr0qtPCjxQHUJgLfT3rdKlvKpPFYv7ZmKnqTncg36Wz9uiYmWJ7e
+IB5Z+fko8kVIMzarCqVvpAJDzYF/pUii68xvuYoK3L9TIOAeyCXv+prwnr2IH+Mw
+9AONzWbRrYoO74XyTE9vMU5qmI/L1VPk+PR8lqPOSptLvzsfoaIk2ED4yK2nRB+6
+st+k4nccPqbErqHc8aiXnXfugfnr6b+NPFYUzKsDqkymGOokVijrI8B3jNw6c6Do
+zphk+D3wgLsXYHfMcZbXIMqffqm/aB8Qg88OpFOkQ3rd2p6R9+hacnZkfkn3Phiw
+yQIDAQAB
+-----END PUBLIC KEY-----
+`
+	// ECDSA with the P-521 curve
+	validECDSAPublicKey := `-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAU9RmtkCRuYTKCyvLlDn5DtBZOHSe
+QTa5j9q/oQVpCKqcXVFrH5dgh0GL+P/ZhkeuowPzCZqntGf0+7wPt9OxSJcADVJm
+dv92m540MXss8zdHf5qtE0gsu2Ved0R7Z8a8QwGZ/1mYZ+kFGGbdQTlSvRqDySTq
+XOtclIk1uhc03oL9nOQ=
+-----END PUBLIC KEY-----
+`
+
+	f := func(s string) {
+		t.Helper()
+		ac, err := parseAuthConfig([]byte(s))
+		if err != nil {
+			t.Fatalf("unexpected error: %s", err)
+		}
+
+		jui, err := parseJWTUsers(ac)
+		if err != nil {
+			t.Fatalf("unexpected error: %s", err)
+		}
+
+		for _, ui := range jui {
+			if ui.JWT == nil {
+				t.Fatalf("unexpected nil JWTConfig")
+			}
+
+			if ui.JWT.SkipVerify {
+				if ui.JWT.verifierPool != nil {
+					t.Fatalf("unexpected non-nil verifier pool for skip_verify=true")
+				}
+				continue
+			}
+
+			if ui.JWT.verifierPool == nil {
+				t.Fatalf("unexpected nil verifier pool for non-empty public keys")
+			}
+		}
+	}
+
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_keys:
+    - %q
+  url_prefix: http://foo.bar
+`, validRSAPublicKey))
+
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_keys:
+    - %q
+  url_prefix: http://foo.bar
+`, validECDSAPublicKey))
+
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_keys:
+    - %q
+    - %q
+  url_prefix: http://foo.bar
+`, validRSAPublicKey, validECDSAPublicKey))
+
+	f(`
+users:
+- jwt:
+    skip_verify: true
+  url_prefix: http://foo.bar
+`)
+
+	// combined with other auth methods
+	f(`
+users:
+- username: foo
+  password: bar
+  url_prefix: http://foo.bar
+
+- jwt:
+    skip_verify: true
+  url_prefix: http://foo.bar
+
+- bearer_token: foo
+  url_prefix: http://foo.bar
+`)
+
+	rsaKeyFile := filepath.Join(t.TempDir(), "rsa_public_key.pem")
+	if err := os.WriteFile(rsaKeyFile, []byte(validRSAPublicKey), 0o644); err != nil {
+		t.Fatalf("failed to write RSA key file: %s", err)
+	}
+	ecdsaKeyFile := filepath.Join(t.TempDir(), "ecdsa_public_key.pem")
+	if err := os.WriteFile(ecdsaKeyFile, []byte(validECDSAPublicKey), 0o644); err != nil {
+		t.Fatalf("failed to write ECDSA key file: %s", err)
+	}
+
+	// Test single public key file
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_key_files:
+    - %q
+  url_prefix: http://foo.bar
+`, rsaKeyFile))
+
+	// Test multiple public key files
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_key_files:
+    - %q
+    - %q
+  url_prefix: http://foo.bar
+`, rsaKeyFile, ecdsaKeyFile))
+
+	// Test combined inline keys and files
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_keys:
+    - %q
+    public_key_files:
+    - %q
+  url_prefix: http://foo.bar
+`, validECDSAPublicKey, rsaKeyFile))
+}

app/vmauth/main.go

@@ -181,29 +181,32 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		return true
 	}
 
-	ui := getUserInfoByAuthTokens(ats)
-	if ui == nil {
-		uu := authConfig.Load().UnauthorizedUser
-		if uu != nil {
-			processUserRequest(w, r, uu)
-			return true
-		}
-
-		invalidAuthTokenRequests.Inc()
-		if *logInvalidAuthTokens {
-			err := fmt.Errorf("cannot authorize request with auth tokens %q", ats)
-			err = &httpserver.ErrorWithStatusCode{
-				Err:        err,
-				StatusCode: http.StatusUnauthorized,
-			}
-			httpserver.Errorf(w, r, "%s", err)
-		} else {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-		}
+	if ui := getUserInfoByAuthTokens(ats); ui != nil {
+		processUserRequest(w, r, ui)
+		return true
+	}
+	if ui := getUserInfoByJWTToken(ats); ui != nil {
+		processUserRequest(w, r, ui)
 		return true
 	}
 
-	processUserRequest(w, r, ui)
+	uu := authConfig.Load().UnauthorizedUser
+	if uu != nil {
+		processUserRequest(w, r, uu)
+		return true
+	}
+
+	invalidAuthTokenRequests.Inc()
+	if *logInvalidAuthTokens {
+		err := fmt.Errorf("cannot authorize request with auth tokens %q", ats)
+		err = &httpserver.ErrorWithStatusCode{
+			Err:        err,
+			StatusCode: http.StatusUnauthorized,
+		}
+		httpserver.Errorf(w, r, "%s", err)
+	} else {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+	}
 	return true
 }
 

app/vmauth/main_test.go

@@ -3,11 +3,20 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"strings"
 	"sync/atomic"
 	"testing"
@@ -506,6 +515,218 @@ requested_url={BACKEND}/path2/foo/?de=fg`
 	}
 }
 
+func TestJWTRequestHandler(t *testing.T) {
+	// Generate RSA key pair for testing
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("cannot generate RSA key: %s", err)
+	}
+
+	// Generate public key PEM
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		t.Fatalf("cannot marshal public key: %s", err)
+	}
+	publicKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKeyBytes,
+	})
+
+	genToken := func(t *testing.T, body map[string]any, valid bool) string {
+		t.Helper()
+
+		headerJSON, err := json.Marshal(map[string]any{
+			"alg": "RS256",
+			"typ": "JWT",
+		})
+		if err != nil {
+			t.Fatalf("cannot marshal header: %s", err)
+		}
+		headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
+
+		bodyJSON, err := json.Marshal(body)
+		if err != nil {
+			t.Fatalf("cannot marshal body: %s", err)
+		}
+		bodyB64 := base64.RawURLEncoding.EncodeToString(bodyJSON)
+
+		payload := headerB64 + "." + bodyB64
+
+		var signatureB64 string
+		if valid {
+			// Create real RSA signature
+			hash := crypto.SHA256
+			h := hash.New()
+			h.Write([]byte(payload))
+			digest := h.Sum(nil)
+
+			signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, hash, digest)
+			if err != nil {
+				t.Fatalf("cannot sign token: %s", err)
+			}
+			signatureB64 = base64.RawURLEncoding.EncodeToString(signature)
+		} else {
+			signatureB64 = base64.RawURLEncoding.EncodeToString([]byte("invalid_signature"))
+		}
+
+		return payload + "." + signatureB64
+	}
+	genToken(t, nil, false)
+
+	f := func(cfgStr string, r *http.Request, responseExpected string) {
+		t.Helper()
+
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, err := w.Write([]byte(r.RequestURI + "\n")); err != nil {
+				panic(fmt.Errorf("cannot write response: %w", err))
+			}
+			if v := r.Header.Get(`extra_label`); v != "" {
+				if _, err := w.Write([]byte(`extra_label=` + v + "\n")); err != nil {
+					panic(fmt.Errorf("cannot write response: %w", err))
+				}
+			}
+			if v := r.Header.Get(`extra_filters`); v != "" {
+				if _, err := w.Write([]byte(`extra_filters=` + v + "\n")); err != nil {
+					panic(fmt.Errorf("cannot write response: %w", err))
+				}
+			}
+		}))
+		defer ts.Close()
+
+		cfgStr = strings.ReplaceAll(cfgStr, "{BACKEND}", ts.URL)
+		responseExpected = strings.ReplaceAll(responseExpected, "{BACKEND}", ts.URL)
+
+		cfgOrigP := authConfigData.Load()
+		if _, err := reloadAuthConfigData([]byte(cfgStr)); err != nil {
+			t.Fatalf("cannot load config data: %s", err)
+		}
+		defer func() {
+			cfgOrig := []byte("unauthorized_user:\n  url_prefix: http://foo/bar")
+			if cfgOrigP != nil {
+				cfgOrig = *cfgOrigP
+			}
+			_, err := reloadAuthConfigData(cfgOrig)
+			if err != nil {
+				t.Fatalf("cannot load the original config: %s", err)
+			}
+		}()
+
+		w := &fakeResponseWriter{}
+		if !requestHandlerWithInternalRoutes(w, r) {
+			t.Fatalf("unexpected false is returned from requestHandler")
+		}
+
+		response := w.getResponse()
+		response = strings.ReplaceAll(response, "\r\n", "\n")
+		response = strings.TrimSpace(response)
+		responseExpected = strings.TrimSpace(responseExpected)
+		if response != responseExpected {
+			t.Fatalf("unexpected response\ngot\n%s\nwant\n%s", response, responseExpected)
+		}
+	}
+
+	simpleCfgStr := fmt.Sprintf(`
+users:
+- jwt:
+    public_keys:
+    - %q
+  url_prefix: {BACKEND}/foo`, string(publicKeyPEM))
+	noVMAccessClaimToken := genToken(t, nil, true)
+	defaultVMAccessClaimToken := genToken(t, map[string]any{
+		"exp":       time.Now().Add(10 * time.Minute).Unix(),
+		"vm_access": map[string]any{},
+	}, true)
+	expiredToken := genToken(t, map[string]any{
+		"exp":       10,
+		"vm_access": map[string]any{},
+	}, true)
+	invalidSignatureToken := genToken(t, map[string]any{
+		"exp":       time.Now().Add(10 * time.Minute).Unix(),
+		"vm_access": map[string]any{},
+	}, false)
+
+	// missing authorization
+	request := httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	responseExpected := `
+statusCode=401
+Www-Authenticate: Basic realm="Restricted"
+missing 'Authorization' request header`
+	f(simpleCfgStr, request, responseExpected)
+
+	// token without vm_access claim
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+noVMAccessClaimToken)
+	responseExpected = `
+statusCode=401
+Unauthorized`
+	f(simpleCfgStr, request, responseExpected)
+
+	// expired token
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+expiredToken)
+	responseExpected = `
+statusCode=401
+Unauthorized`
+	f(simpleCfgStr, request, responseExpected)
+
+	// invalid signature token
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+invalidSignatureToken)
+	responseExpected = `
+statusCode=401
+Unauthorized`
+	f(simpleCfgStr, request, responseExpected)
+
+	// invalid signature token and skip verify
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+invalidSignatureToken)
+	responseExpected = `
+statusCode=200
+/foo/abc`
+	f(`
+users:
+- jwt:
+    skip_verify: true
+  url_prefix: {BACKEND}/foo`, request, responseExpected)
+
+	// token with default valid vm_access claim
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
+	responseExpected = `
+statusCode=200
+/foo/abc`
+	f(simpleCfgStr, request, responseExpected)
+
+	// jwt token used but no matching user with JWT token in config
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
+	responseExpected = `
+statusCode=401
+Unauthorized`
+	f(`
+users:
+- password: a-password
+  username: a-user
+  url_prefix: {BACKEND}/foo`, request, responseExpected)
+
+	// auth with key from file
+	publicKeyFile := filepath.Join(t.TempDir(), "a_public_key.pem")
+	if err := os.WriteFile(publicKeyFile, []byte(publicKeyPEM), 0o644); err != nil {
+		t.Fatalf("failed to write public key file: %s", err)
+	}
+	request = httptest.NewRequest(`GET`, "http://some-host.com/abc", nil)
+	request.Header.Set(`Authorization`, `Bearer `+defaultVMAccessClaimToken)
+	responseExpected = `
+statusCode=200
+/foo/abc`
+	f(fmt.Sprintf(`
+users:
+- jwt:
+    public_key_files:
+    - %q
+  url_prefix: {BACKEND}/foo`, string(publicKeyFile)), request, responseExpected)
+}
+
 type fakeResponseWriter struct {
 	h http.Header
 

docs/victoriametrics/changelog/CHANGELOG.md

@@ -32,6 +32,8 @@ See also [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-rel
 * FEATURE: [dashboards/single](https://grafana.com/grafana/dashboards/10229), [dashboards/cluster](https://grafana.com/grafana/dashboards/11176), [dashboards/vmagent](https://grafana.com/grafana/dashboards/12683): add clickable source code links to the `Logging rate` panel in `Drilldown`. Users can use it to navigate directly to the source code location that generated those logs, making debugging and code exploration easier. See [#10406](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10406).
 * FEATURE: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): add `Queries with most memory to execute` section in `Top Queries` page of `vmui`. It can help users to find queries that consume most memory and potentially cause OOM. See [#9330](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9330).
 * FEATURE: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): make label value autocomplete context-aware by suggesting values only from series matching already selected label filters. See [#9269](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9269).
+* FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): add JWT token authentication support with signature verification and tenant, `extra_label`, and `extra_filters` based access control. Read more about configuration in [JWT Token auth proxy](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy) documentation. See [#9439](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9439).
+* FEATURE: [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/): add JWT token authentication support with signature verification based on provided `public_keys`. Read more about configuration in [JWT Token auth proxy](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy) documentation. See [#9439](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9439).
 
 * BUGFIX: all VictoriaMetrics components: respect default http client proxy env variables (HTTP_PROXY,HTTPS_PROXY,NO_PROXY). See [#10385](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10385). Thanks to @zane-deg for the contribution.
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent/) and [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/): properly expose `kubernetes_sd` discovery network dialer metrics `vm_promscrape_discovery_kubernetes_conn_*`. See [#10382](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10382).

docs/victoriametrics/vmauth.md

@@ -48,6 +48,7 @@ Feel free to [contact us](mailto:info@victoriametrics.com) if you need customize
 * [TLS termination proxy](#tls-termination-proxy)
 * [Basic Auth proxy](#basic-auth-proxy)
 * [Bearer Token auth proxy](#bearer-token-auth-proxy)
+* [JWT Token auth proxy](#jwt-token-auth-proxy)
 * [Per-tenant authorization](#per-tenant-authorization)
 * [mTLS-based request routing](#mtls-based-request-routing)
 * [Enforcing query args](#enforcing-query-args)
@@ -247,6 +248,56 @@ users:
 
 See also [authorization](#authorization), [routing](#routing) and [load balancing](#load-balancing) docs.
 
+### JWT Token auth proxy
+
+`vmauth` can authorize access to backends depending on the provided [JWT token](https://www.jwt.io/) in `Authorization` request header. 
+JWT tokens are verified using RSA or ECDSA public keys. The following auth config proxies requests to [single-node VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) if they contain a valid JWT token:
+
+```yaml
+users:
+- jwt:
+    public_keys:
+    - |
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+      -----END PUBLIC KEY-----
+  url_prefix: "http://victoria-metrics:8428/"
+```
+
+JWT tokens must contain a `vm_access` claim with tenant information:
+```json
+{
+  "exp": 2770832322,
+  "vm_access": {
+    "tenant_id": {
+      "account_id": 0,
+      "project_id": 0
+    }
+  }
+}
+```
+
+The empty `vm_access` claim is also allowed and means access to Tenant `0:0` will be provided.
+```json
+{
+  "exp": 2770832322,
+  "vm_access": {}
+}
+```
+
+For testing, skip signature verification with `skip_verify: true` (not recommended for production).
+
+```yaml
+users:
+- jwt:
+    skip_verify: true
+  url_prefix: "http://victoria-metrics:8428"
+```
+
+JWT authentication cannot be combined with other auth methods (`bearer_token`, `username`, `password`) in the same `users` config.
+
+See also [authorization](#authorization), [routing](#routing) and [load balancing](#load-balancing) docs.
+
 ### Per-tenant authorization
 
 The following [`-auth.config`](#auth-config) instructs proxying `insert` and `select` requests from the [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication) user `tenant1` to the [tenant](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#multitenancy) `1`, while requests from the user `tenant2` are sent to tenant `2`:
@@ -356,6 +407,7 @@ unauthorized_user:
 * [No authorization](https://docs.victoriametrics.com/victoriametrics/vmauth/#simple-http-proxy)
 * [Basic Auth](https://docs.victoriametrics.com/victoriametrics/vmauth/#basic-auth-proxy)
 * [Bearer token](https://docs.victoriametrics.com/victoriametrics/vmauth/#bearer-token-auth-proxy)
+* [JWT token](https://docs.victoriametrics.com/victoriametrics/vmauth/#jwt-token-auth-proxy)
 * [Client TLS certificate verification aka mTLS](https://docs.victoriametrics.com/victoriametrics/vmauth/#mtls-based-request-routing)
 * [Auth tokens via Arbitrary HTTP request headers](https://docs.victoriametrics.com/victoriametrics/vmauth/#reading-auth-tokens-from-other-http-headers)