{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
8

JWT Policies in Apigee Edge  

  • Export to PDF
Dino   created · Nov 08, 2017 at 01:33 AM · 6.1k Views · Dino-at-Google edited · Jun 05, 2018 at 11:07 PM

Hey there, Apigee Community friends!

Time for another video. This one is a bit longer, and covers the new JWT policies that are available in Apigee Edge. YES! Apigee Edge now has builtin policies that can generate or verify JWT, according to your configuration. Here's a sample configuration for VerifyJWT:

<VerifyJWT name="Verify-JWT-1">
    <Algorithm>RS256</Algorithm>
    <Source>inbound.jwt</Source>
    <PublicKey>
        <Value ref='publickey'/>
    </PublicKey>
    <Audience>urn://Apigee</Audience>
</VerifyJWT>

And here is a sample policy configuration for Generating a JWT:

<GenerateJWT name="Generate-JWT-1">
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.privatekey"/>
    </PrivateKey>
    <Subject ref="request.formparam.subject"/>
    <Issuer>urn://apigee-edge-JWT-policy-demonstration</Issuer>
    <Audience ref="request.formparam.audience"/>
    <ExpiresIn>60m</ExpiresIn>
    <OutputVariable>output-jwt</OutputVariable>
</GenerateJWT>

I've just reprised this Screencast to provide some additional information. I hope you'll click and enjoy.

Click to view the screencast . BTW, the source-code accompanying the screencast is available on Github.

FAQ

Q. How does this new set of policies differ from the Java callout that has been available for some time?

A. The new policies are a supported part of the Apigee Edge product. They'll be built, tested, and maintained by Apigee engineers according to the product standards. There is official documentation and support for these policies.

The Java callout is an open-source project, and is not part of the supported Apigee Edge product. There's no official documentation and support was done through a volunteer, best-effort basis. Since there is no way to add a custom policy into the user interface, the Java callout could never appear in the policy-selector UI.

JWT of course is an open standard, and there's nothing technically wrong with using your own custom code to parse or generate JWT. But we think there are advantages in the developer experience with delivering a supported policy.

Q. I've been using that Java callout for some time, it works great. Should I convert to using this builtin policy?

Probably. The Java callout works just fine, but we think the new builtin policies will be more efficient, especially at scale. They'll also be easier to maintain, with better documentation and support.

Converting from the Java callout configuration to the config for one of the builtin policies will be basically mechanical. Renaming elements and so on. It will be a low-effort affair. You should be able to convert a policy in about 60-90 seconds.

Q. I've been doing JWT in a nodejs target for some time, it works great. Should I convert to using this builtin policy?

Probably. You may be depending on one of the various nodejs libraries for JWT, like jsonwebtoken, or node-jwt. The nodejs target in Apigee Edge is based on Trireme, which is a JavaScript interpreter that itself runs inside the JVM. The cpu efficiency of JS code running on top of that stack is poor, compared to directly compiled Java code. This matters especially with RSA algorithms, but it also has an effect on HMAC algorithms. If you have high load, you will want to use the more efficient option, and that's the built-in policy types.

Q. Do the JWT policies enforce any particular format on the JWT they generate or verify?

No. Apigee Edge can verify JWT generated by Azure, Google Signin, Salesforce, Ping, Paypal, or other systems. When generating a JWT, you can embed payload claims of any type into the token. Also, Apigee Edge can generate JWT that can be verified by any other system.

Q. Will the VerifyJWT policy directly implement RFC7523?

No, but you can implement RFC7523 grants in your API Proxy. Consult the prior article describing the technique; all you need to do is replace the Java callout in that example with the builtin Apigee Edge policy.

Q. Will Apigee Edge provide more support for OpenID Connect?

OpenID Connect wraps user authentication around the OAuth 2.0 three-legged protocol. There is a prior community article discussing OpenID Connect and Apigee Edge. The basics of that article still apply, now that there is a builtin GenerateJWT policy.

Apigee is investigating deeper support for OpenID Connect, but we have nothing to announce at this time.

Q. I see the policy supports RSA and HMAC signing. When will other algorithms be supported, like ECDSA?

ECDSA is on the roadmap, but we don't have a firm schedule for this. Soon! Expected Summer 2018.

Q. What about encrypted tokens, JWE? Will Apigee support that with a builtin policy?

We have no immediate plans to ship a policy that does JWE, but we are always interested in customer requirements. For now you may have to rely on custom Java code for this technical use case.

Q. I'd like to verify JWT using certificates stored in the Apigee truststore. But there is no way for the API Proxy to directly read from the truststore. Will Apigee allow this in the future?

We are investigating that possibility. Right now we don't view this limitation as severe, as there is a pretty simple workaround: load the certs and keys into the KVM.

Q. Why does Apigee force me to use a private. variable for configuring Private keys or secret keys in the JWT policy configuration?

We are encouraging good security practices by enforcing the use of a private variable. You cannot key in secrets like passwords or PEMs for private keys into the policy configuration files. We feel the right place for this information is in a secure store, such as the Encrypted KVM which is part of Apigee Edge. Of course you can embed public keys directly into the policy configuration, if you wish. Public keys aren't secrets!

Q. OK, I see the merit in that. How do I load my privatekey.pem file into the KVM?

You should do it via the administrative API. Today the Admin UI does not handle newlines very well. (bug ref b/64808634 ) There's a bash script available here that can help. Or if you prefer nodejs, check here. I haven't created an example for Powershell, let me know if you want one. The key point: You need to be careful escaping newlines.

screenshot-20180315-180622.png (456.9 kB)
thub.nodes.view.add-new-comment
jwt
Add comment Show 32
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Sujith Mathew · Nov 08, 2017 at 05:52 AM 0
Link

Just what the doctor ordered, wonderful and thank you

avatar image Meghdeep Basu · Nov 08, 2017 at 09:12 AM 0
Link

Great news. Any idea when is it expected ? We are eagerly waiting for this.

avatar image Dino ♦♦ Meghdeep Basu   · Nov 08, 2017 at 05:02 PM 0
Link

These policies are available as Alpha in Edge SaaS. You can request enablement from Apigee Support. Current plan is to make them generally available to everyone in January.

avatar image Meghdeep Basu Dino ♦♦ · Nov 19, 2017 at 07:58 PM 0
Link

Thanks @Dino,

We got it in our orgs. One query: when I am trying to assign an array to our custom claims, the decoded jwt has "/", like

"software_redirect_uris": "[\"https://prime.amazon.com/cb\"]"<br>

Although the in the previous java script policy and in the JWT generate policy, we are able to see proper value:

redirectUrisArray ["https//prime.amazon.com/cb"]

Any pointer on this ?

Show more comments
avatar image Mahammad Feroz · Nov 08, 2017 at 04:59 PM 1
Link

Good news. How do we get those new policies on to the existing on-prem Apigee instance?

avatar image Dino ♦♦ Mahammad Feroz   · Nov 08, 2017 at 05:01 PM 0
Link

These policies will roll to OPDK in a future release. We haven't announced specifically. 18.01 would be the next logical candidate. You will need to upgrade your installation in order to get them.

UPDATE: Yes, the JWT policies are available in 18.01

avatar image Dizon DIzon · Dec 13, 2017 at 03:48 PM 0
Link

Thank you. Does it support kid?

avatar image Dino ♦♦ Dizon DIzon   · Dec 13, 2017 at 04:33 PM 0
Link

Yes.

  • On Generation, of course you can configure the policy to embed a kid claim in the JWT header. And that claim can hold any value.
  • On Verification (probably what you were asking about), you can specify a JWKS. If the JWT to be verified contains a kid in the header, the JWT policy will extract the appropriate key from the JWKS based on the kid, and will verify the JWT as appropriate.

Does this answer your question?

avatar image Dizon DIzon Dino ♦♦ · Dec 13, 2017 at 08:59 PM 0
Link

I just cannot find where I can configure jwt headers in GenerateJWT policy.

Show more comments
avatar image Payal Ajwani · Dec 22, 2017 at 04:34 PM 0
Link

How do I specify modulus and exponent in the VerifyJWT Policy instead of Public Key? There was a way to do that in the callout. Just looking for the format to specify.

avatar image Dino ♦♦ Payal Ajwani   · Dec 22, 2017 at 05:12 PM 0
Link

Do it with the JWKS. You need the modulus and exponent wrapped in a JWKS, and then the JWT-to-be-verified must refer to the kid.

There is no way to directly specify the modulus and exponent.

avatar image Payal Ajwani Dino ♦♦ · Dec 22, 2017 at 05:27 PM 0
Link

Thanks Dino. I should have watched your video until the end :).

avatar image adoshi · Jan 28, 2018 at 01:17 AM 0
Link

Hey Dino, I was trying to validate the jwt generated from apigee edge in Azure Functions and I found out that when you assign the value of private key in the PEM format, you need to remove the BEGIN PRIVATE KEY and END PRIVATE KEY related lines from the file. If you don't do that, GenerateJWT policy seems to work without any problems but the signature cannot be validated. I am hoping that this will save time for somebody else.

avatar image Dino-at-Google ♦♦ adoshi   · Jun 05, 2018 at 10:56 PM 0
Link

Thanks for that tip. Not sure why that would be. But I'm glad it's working for you.

avatar image Joe Burgett · Feb 03, 2018 at 12:11 AM 0
Link

Has anyone else seen this behavior :

From time to time the 'Decode JWT' policy sets the variable name suffix to unexpected values. For example, I have seen jwt.xxx.custom_claims.scp and jwt.xxx.claims.scp used. I'm looking for the values of these variables, so when the name changes my 'Raise Value' conditions get all messed up.

I know that this policy is in 'Beta', so I understand that this may just be a development bug. Does anyone have thoughts and/or comments?

avatar image Brent Stains · Mar 02, 2018 at 07:02 PM 0
Link

Thank you for the examples! The have been quite helpful. I noticed that when running the examples that I wasn't getting some of the values from the inbound JWT token into the outbound token.

For some reason, I had to add ".claim" in SOME of the variables. I assume there's a reason for it and it's beta, but may want to update the examples? Not sure, but sharing all the same.

<Payload contentType="application/json">

{ "status" : "ok", "algorithm" : "{jwt.Verify-JWT-2.claim.algorithm}",

"claim_names" : "{jwt.Verify-JWT-2.payload-claim-names}",

"subject" : "{jwt.Verify-JWT-2.claim.subject}",

"issuer" : "{jwt.Verify-JWT-2.claim.issuer}",

"audience" : "{jwt.Verify-JWT-2.claim.audience}",

"expiry" : "{jwt.Verify-JWT-2.expiry_formatted}",

"seconds_remaining" : {jwt.Verify-JWT-2.seconds_remaining},

"out.now" : "{outbound.now}" }

</Payload>

avatar image Dino-at-Google ♦♦ Brent Stains   · Jun 05, 2018 at 10:54 PM 0
Link

Yes, thank you, the examples have been updated.

avatar image Rafael Obara · Apr 24, 2018 at 09:36 PM 0
Link

when there will be a tutorial step by step for dummies in the Apigee Docs?

avatar image Siddharth Barahalikar Rafael Obara   · Apr 25, 2018 at 04:01 AM 0
Link

Hi @Rafael Obara, for step by step tutorial, follow below Github project by Dino,

https://github.com/DinoChiesa/ApigeeEdge-JWT-Demonstration

avatar image Rafael Obara Siddharth Barahalikar · Apr 25, 2018 at 02:31 PM 0
Link

@Siddharth Barahalikar thanks for the link,

I dit that demo tutorial yesterd, but i think it's very basic.

If i have a client app registered in my organization.

How do i generate a jwt token for a existing client app registered in a product?

Where do i inform the consumer id and consumer secret, grant_type, scopes?

I need to insert a specific claim in my token based in the consumer id, how do i do this dynamically?

Sorry for asking this kind of thing, i'm new at Apigee and i'm having hard time with Oauth2, Apigee and JWTtokens

Show more comments
avatar image Frank Proue · Jun 05, 2018 at 10:27 PM 0
Link

Trying to follow Dino's JWT Policies in Apigee Edge sample solution. Great video, useful same code. Worked for me. We are running private cloud 4.18.01. I need to run loadPemIntoKvm.js to upload private key to encrypted KVM in an org in private cloud. This script uses apigee.com as default in a few input parameters. I can override the mgmtServer input parameter, but don't know how to override the "loginBaseUrl" and "urlBase" since they do not seem to be provided in the options list. Also, the option "-M" showed twice, once for mgmtserver, and once for napname arguement.

Usage:
node loadPemIntoKvm.js [OPTION]

Options:
-M, --mgmtserver=ARG the base path, including optional port, of the Edge mgmt server. Defaults to https://api.enterprise.apigee.com .
-u, --username=ARG org user with permissions to read Edge configuration.
-p, --password=ARG password for the org user.
-n, --netrc retrieve the username + password from the .netrc file. In lieu of -u/-p
-o, --org=ARG the Edge organization.
-v, --verbose
-h, --help
-e, --env=ARG required. the Edge environment for which to store the KVM data
-M, --mapname=ARG optional. name of the KVM in Edge for keys. Will be created if nec. Default: PrivateKeys
-E, --encrypted optional. if creating a KVM, set it as encrypted. Default: not.
-F, --pemfile=ARG required. name of the file containing the pem-encoded key.
-N, --entryname=ARG required. name of the entry in KVM to store the PEM.
-T, --notoken optional. do not try to get a authentication token.

avatar image Dino-at-Google ♦♦ Frank Proue   · Jun 05, 2018 at 10:50 PM 0
Link

whoops!

The repeat of the -M option was an oversight. You can use the long form option --mapname and --mgmtserver to disambiguate. I'll fix it in a future version.

The loginBaseUrl and urlBase .. I think those are present in the apigee-edge-js module, which is a dependency of that tool. The loginBaseUrl is intended to be used with SSO on the Edge SaaS. You should never need that. The urlbase should just work. That's an internal implementation detail, from what I can tell.

I haven't tried the loadPemIntoKvm.js tool against an OPDK. It is intended to "just work". If it does not, then we need to log a bug against the apigee-edge-js module. (And I'll fix THAT).

You said you need to run the script... and then offered some observations about the internals of the script But did you try it? What results did you see?

If it does not work specifying --mgmtserver , then maybe you can try the -T option (notoken), which tells the tool to not try to obtain a token from the token endpoint. (This should work also in OPDK, but not sure if you've got that set up properly)

avatar image Frank Proue Dino-at-Google ♦♦ · Jun 06, 2018 at 03:46 PM 0
Link

Yes, the use of -mgmtserver worked. Run the command as suggested and here is the error received.

node ./tools/loadPemIntoKvm.js --mgmtserver $MGMT_URL -u $USER_NAME -p $PASSWD -v -o $ORG -e $ENV -E --mapname secrets -N key1 -F ./tools/keys/private-pkcs8.pem
Apigee Edge PEM KVM-loader tool, version: 20171213-1645
Node.js v8.9.1

[2018-Jun-06 09:47:47] start
[2018-Jun-06 09:47:47] connect: {"orgname":"xxxmyorgname","user":"xxxmyuserid","loginBaseUrl":"https://login.apigee.com","mgmtServer":"https://xxxmy-server-domain","urlBase":"https://xxxmy-server-domain/v1/o/xxxmy-org","requestHeaders":{"accept":"application/json"},"verbosity":true}

[2018-Jun-06 09:47:47] found no stashed token.
[2018-Jun-06 09:47:47] POST https://login.apigee.com/oauth/token

C:\MyWorkspace\Download\ApigeeEdge-JWT-Demo\node_modules\apigee-edge-js\lib\common.js:29
utility.logWrite('status: ' + response.statusCode );
^

TypeError: Cannot read property 'statusCode' of undefined
at Request._callback (C:\MyWorkspace\Download\ApigeeEdge-JWT-Demo\node_modules\apigee-edge-js\lib\common.js:29:48)
at self.callback (C:\MyWorkspace\Download\ApigeeEdge-JWT-Demo\node_modules\request\request.js:185:22)
at emitOne (events.js:116:13)
at Request.emit (events.js:211:7)
at Request.onRequestError (C:\MyWorkspace\Download\ApigeeEdge-JWT-Demo\node_modules\request\request.js:877:8)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at ClientRequest.onConnect (C:\MyWorkspace\Download\ApigeeEdge-JWT-Demo\node_modules\tunnel-agent\index.js:168:23)
at Object.onceWrapper (events.js:319:30)
at emitThree (events.js:136:13)

Show more comments

Article

Contributors

avatar image avatar image
Follow

Follow this article

57 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

JWT Policies in Apigee Edge

Related Articles

Java Callout to generate or validate JWTs with signing and/or encryption

Using Apigee Edge with OpenID Connect

A quick screencast tour of the VerifyJWT policy in Apigee

RFC7523 in Apigee Edge - Exchanging JWT for Opaque OAuth tokens

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges