This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuth Policy to Generate and Validate the oauth JWT Token

Posted on 09-18-2023 11:04 AM
AbhishekAw
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Team 

We are using below operation to generate the token using Oauth2.0 Policy

<OAuthV2 name="generate-policy">
  <Operation>GenerateJWTAccessToken</Operation>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GenerateResponse enabled="true"/>
  <Algorithm>RS256</Algorithm>
  <PrivateKey>
    <Value ref="private.rsa-privatekey-1"/>
  </PrivateKey>
  <ExpiresIn ref="kvm.oauth.expires_in">3600000</ExpiresIn>
</OAuthV2> 

 and the Verify we are using 

<OAuthV2 name="OAuthV2-verify-jwt">
  <Operation>VerifyJWTAccessToken</Operation>
  <Algorithm>RS512</Algorithm>
  <PublicKey>
    <Value ref="propertyset.non-secrets.rsa-publickey-1"/>
  </PublicKey>
</OAuthV2>

 So may question is can we generate the "GenerateJWTAccessToken" with custom claims as we can do in generateJWT policy, Also can we validate custom claims as well in VerifyJWtAccessToken in OAuthv2.0 policy.

 Please provide some guidance here 🙂

@dchiesa1 

1 1 189
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

No; you cannot add custom, arbitrary claims to a token generated in that way. 

If you want to include custom arbitrary claims, then I suggest that you do not use the OAuthV2 policy. Instead:

  • GenerateJWT for generation, and add in the client_id of the calling app, as well as any custom claims
  • VerifyJWT for verification + VerifyAPIKey on the client_id.  

 

0 Likes
Top Solution Authors
View all