Add policy action doc (#582)

Also removes the old (non-gen'd) module doc.

---------

Co-authored-by: Russ Savage <russorat@users.noreply.github.com>

docs/http/traffic-policy/actions/jwt-validation.mdx

@@ -0,0 +1,111 @@
+import { ExampleHTTP } from "/examples/actions/jwt-validation.mdx";
+
+# JWT Validation
+
+## Overview
+
+The JWT Validation action allows or denies traffic based on validation of the JSON Web
+Token (JWT) provided within the request that was initiated to your ngrok endpoints. You
+will define the claims used to validate the token in conjunction with verifying it has
+been properly signed by the issuer.
+
+A connection is allowed only if it has been signed by the issuer and the defined claims
+match.
+
+## Example
+
+<ExampleHTTP />
+
+## Behavior
+
+### Multiple Issuers
+
+You may specify multiple issuers to be used for JWT validation. A request is considered
+validated if it presents a JWT signed by any of the specified issuers.
+
+### Multiple Audience Claims
+
+You may specify multiple audience claims to be used for JWT validation. JWT validation
+will require at least one of the audience claims to be present within the JWT.
+
+### Multiple Signing Keys
+
+You have the ability to provide multiple JWKS urls and signing algorithms. During JWT
+validation the list of JWKS and algorithms provided will be used in an attempt to validate
+the JWT. This list will be tried in order.
+
+### Multiple Tokens
+
+If multiple tokens are defined within the HTTP configuration parameter, all tokens must be
+present in the request. If all tokens are not present a 401 status code will be returned.
+
+### Configuration
+
+| Type             |
+| ---------------- |
+| `jwt-validation` |
+
+| Parameter  | Type                                               | Description                                            |
+| ---------- | -------------------------------------------------- | ------------------------------------------------------ |
+| `issuer`   | [JWTIssuerConfig](#jwtissuerconfig-parameters)     | configuration about the Issuer(s) of the JWTs.         |
+| `audience` | [JWTAudienceConfig](#jwtaudienceconfig-parameters) | configuration about the Audience(s) of the JWTs.       |
+| `http`     | [JWTHTTPConfig](#jwthttpconfig-parameters)         | configuration about the HTTP requests containing JWTs. |
+| `jws`      | [JWTSigningConfig](#jwtsigningconfig-parameters)   | configuration about signed JWTs (JWS).                 |
+
+#### JWTIssuerConfig Parameters
+
+| Parameter    | Type                               | Description                  |
+| ------------ | ---------------------------------- | ---------------------------- |
+| `allow_list` | [JWTIssuer](#jwtissuer-parameters) | the list of allowed issuers. |
+
+#### JWTIssuer Parameters
+
+| Parameter | Type     | Description            |
+| --------- | -------- | ---------------------- |
+| `value`   | `string` | the URL of the issuer. |
+
+#### JWTAudienceConfig Parameters
+
+| Parameter    | Type                                   | Description                    |
+| ------------ | -------------------------------------- | ------------------------------ |
+| `allow_list` | [JWTAudience](#jwtaudience-parameters) | the list of allowed audiences. |
+
+#### JWTAudience Parameters
+
+| Parameter | Type     | Description                      |
+| --------- | -------- | -------------------------------- |
+| `value`   | `string` | the value of the audience claim. |
+
+#### JWTHTTPConfig Parameters
+
+| Parameter | Type                                     | Description                     |
+| --------- | ---------------------------------------- | ------------------------------- |
+| `tokens`  | [JWTHTTPToken](#jwthttptoken-parameters) | the list of tokens to validate. |
+
+#### JWTHTTPToken Parameters
+
+| Parameter | Type     | Description                                                                                                                             |
+| --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `type`    | `string` | the type of the JWT, which acts as a hint to ngrok about how ngrok should parse the token. Must be one of "jwt", "at+jwt", or "it+jwt". |
+| `method`  | `string` | the location in which to expect the JWT. Must be one of "header" or "body".                                                             |
+| `name`    | `string` | the name of the header or body field where the JWT is expected.                                                                         |
+| `prefix`  | `string` | any prefix to strip from the header or body field before parsing the JWT.                                                               |
+
+#### JWTSigningConfig Parameters
+
+| Parameter            | Type                                         | Description                                 |
+| -------------------- | -------------------------------------------- | ------------------------------------------- |
+| `allowed_algorithms` | `List<string>`                               | the list of allowed signing algorithms.     |
+| `keys`               | [JWTSigningKeys](#jwtsigningkeys-parameters) | the configuration for the JWT signing keys. |
+
+#### JWTSigningKeys Parameters
+
+| Parameter | Type                                                     | Description                                                            |
+| --------- | -------------------------------------------------------- | ---------------------------------------------------------------------- |
+| `sources` | [JWTSigningKeySources](#jwtsigningkeysources-parameters) | the configuration for the key material used to verify the signed JWTs. |
+
+#### JWTSigningKeySources Parameters
+
+| Parameter         | Type           | Description                                                          |
+| ----------------- | -------------- | -------------------------------------------------------------------- |
+| `additional_jkus` | `List<string>` | a list of URLs which serve teh possible signing keys in JWKS format. |

examples/actions/jwt-validation.mdx

@@ -0,0 +1,47 @@
+import ConfigExample from "../../src/components/ConfigExample.tsx";
+
+export const type = "jwt-validation";
+export const config = {
+	issuer: {
+		allow_list: [
+			{
+				value: "https://example.com/issuer",
+			},
+		],
+	},
+	audience: {
+		allow_list: [
+			{
+				value: "urn:example:api",
+			},
+		],
+	},
+	http: {
+		tokens: [
+			{
+				type: "access_token",
+				method: "header",
+				name: "Authorization",
+				prefix: "Bearer ",
+			},
+			{
+				type: "it+jwt",
+				method: "body",
+				name: "_id_token",
+			},
+		],
+	},
+	jws: {
+		allowed_algorithms: ["RS256", "ES256"],
+		keys: {
+			sources: {
+				additional_jkus: ["https://example.com/issuer/jku"],
+			},
+		},
+	},
+};
+
+export const ExampleHTTP = () => (
+  <ConfigExample config={{ actions: [{ type, config }] }} />
+
+)

sidebars.js

@@ -46,7 +46,6 @@ const sidebars = {
 				"http/circuit-breaker",
 				"http/compression",
 				"http/ip-restrictions",
-				"http/jwt-validation",
 				"http/mutual-tls",
 				"http/oauth",
 				"http/openid-connect",