This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Question on HMAC Policy, and generating a JWT from a given specific payload

Posted on 10-06-2021 04:54 AM
osmadeit
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, I have looking at HMAC policies and JWT Generate in particular. I am seeking to create a token out of an inbound payload that is in plain json format. How can I accomplish that? The docs and the four minute videos demos yield a default JWT token but none of them creates it from a given payload and that is what I would like to accomplish. Thank you!

Solved Solved
0 3 131
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I have looking at HMAC policies and JWT Generate in particular.

Just for the record, the HMAC Policy is distinct from the GenerateJWT policy. Also, you cannot use the HMAC policy to generate a JWT, not easily anyway!

I am seeking to create a token out of an inbound payload that is in plain json format. How can I accomplish that?

There are two ways.

Option 1

If (a) you have an existing JSON payload, and (b) you want to use that exact thing as the payload of the JWT, with no additions or modifications or deletions, and (c) you want the JWT to be a signed JWT, then I suggest you just use the GenerateJWS policy. GenerateJWS accepts a Payload configuration element. You can pass in the variable that holds the json you want as payload. You may also want to set the typ header to "JWT". You can do that with this configuration:

 

<GenerateJWS name="JWS-Generate-HS256">
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
    </SecretKey>
    <Payload ref="request.content" />
    <AdditionalHeaders>
      <Claim name='typ'>JWT</Claim>
    </AdditionalHeaders>
    <OutputVariable>jws-variable</OutputVariable>
</GenerateJWS>

 

The result is a signed JWS, which happens to have a payload that is JSON, and typ header of JWT, which means it is also a signed JWT. (A signed JWT is a particular kind of signed JWS).

Option 2

If (a) you have an existing JSON payload, and (b) you want to use that thing as part of the payload of the JWT, with some additions or modifications or deletions, then you can use GenerateJWT with the AdditionalClaims element. For example, suppose you want to use the request.content as the payload, and also explicitly specify a subject and audience. For that you would use this configuration:

 

<GenerateJWT name='JWT-Generate-HS256'>
  <Algorithm>HS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <SecretKey>
    <Value ref='private.secretkey'/>
  </SecretKey>
  <Subject>foo</Subject>
  <Audience>anything-here</Audience>
  <!-- etc, for other "explicitly declared" claims. -->
  <!-- the JSON in request.content populates additional claims in the payload -->
  <AdditionalClaims ref='request.content'/>
  <OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>

 

If you want to include only some of the json properties in the request.content as claims in the JWT , then... it's a little more complicated. You will need to use an additional AssignMessage step prior to GenerateJWT to selectively extract the values from the payload (using jsonpath), that you then would add as additional claims into the JWT.

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I have looking at HMAC policies and JWT Generate in particular.

Just for the record, the HMAC Policy is distinct from the GenerateJWT policy. Also, you cannot use the HMAC policy to generate a JWT, not easily anyway!

I am seeking to create a token out of an inbound payload that is in plain json format. How can I accomplish that?

There are two ways.

Option 1

If (a) you have an existing JSON payload, and (b) you want to use that exact thing as the payload of the JWT, with no additions or modifications or deletions, and (c) you want the JWT to be a signed JWT, then I suggest you just use the GenerateJWS policy. GenerateJWS accepts a Payload configuration element. You can pass in the variable that holds the json you want as payload. You may also want to set the typ header to "JWT". You can do that with this configuration:

 

<GenerateJWS name="JWS-Generate-HS256">
    <Algorithm>HS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <SecretKey>
        <Value ref="private.secretkey"/>
    </SecretKey>
    <Payload ref="request.content" />
    <AdditionalHeaders>
      <Claim name='typ'>JWT</Claim>
    </AdditionalHeaders>
    <OutputVariable>jws-variable</OutputVariable>
</GenerateJWS>

 

The result is a signed JWS, which happens to have a payload that is JSON, and typ header of JWT, which means it is also a signed JWT. (A signed JWT is a particular kind of signed JWS).

Option 2

If (a) you have an existing JSON payload, and (b) you want to use that thing as part of the payload of the JWT, with some additions or modifications or deletions, then you can use GenerateJWT with the AdditionalClaims element. For example, suppose you want to use the request.content as the payload, and also explicitly specify a subject and audience. For that you would use this configuration:

 

<GenerateJWT name='JWT-Generate-HS256'>
  <Algorithm>HS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <SecretKey>
    <Value ref='private.secretkey'/>
  </SecretKey>
  <Subject>foo</Subject>
  <Audience>anything-here</Audience>
  <!-- etc, for other "explicitly declared" claims. -->
  <!-- the JSON in request.content populates additional claims in the payload -->
  <AdditionalClaims ref='request.content'/>
  <OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>

 

If you want to include only some of the json properties in the request.content as claims in the JWT , then... it's a little more complicated. You will need to use an additional AssignMessage step prior to GenerateJWT to selectively extract the values from the payload (using jsonpath), that you then would add as additional claims into the JWT.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
osmadeit
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks a bunch Dino. I have been struggling with this for a couple of days now.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to osmadeit
Reply posted on --/--/---- --:-- AM

Sorry about that. Please ask sooner! 

Jump to Solution
0 Likes
Top Solution Authors
View all