This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X supporting self-contained JWT token

Posted on 05-18-2022 05:03 AM
esync33
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

Does APIGEE X supports self-contained JWT token with X5C header containing the token signing certificate details? - For both generation and validation of the JWT Token

Can it perform PKI validation? - To ensure that the received token signing public key is provided by a trusted issuer, as detailed in RFC5280.

Please advise.

0 1 148
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

1. Yes, you can generate and verify JWT that contain the x5c field in the header.  But, it is not as easy as it might be.

  • During generation, You must "manually" specify the x5c header with the right encoded contents. 
  • During verification, you need to first decode the token via DecodeJWT, extract the x5c field containing the cert, and then call VerifyJWT using that value. 

2.  No, today Apigee does not perform PKI trust validation on the cert specified this way, using the Truststore. 

There is an enhancement request in the backlog, to make it simpler to do these things (generate, verify, and verify trust). 

Connect with your sales team if you want to discuss prioritization of this capability.

0 Likes