While creating JWT in APIGEE with Audience value , and if the audience value is comma seperated value we get a audience value as an array
if I pass audience value as :: a=b,c=d,e=f
the value in JWT generates is as below
aud : [
a=b,
c=d,
e=f
]
Rather than being in one line aud : "a=b,c=d,e=f"
Solved! Go to Solution.
Yes, this was a limitation in the GenerateJWT policy - the audience was always parsed as a comma-separated list of values. The idea was that Audience could accept an array of values; the logic in the policy just inferred that any comma present in the string implied that the value was a list. This meant that an LDAP DN couldn't be represented in the audience claim of a JWT generated by the GenerateJWT policy.
The good news: Some time ago, We introduced a new attribute to eliminate that limitation. In fact your Apigee Edge install probably has the enhancement. The bad news: Unfortunately, and to my embarrassment, we did not document the fix. 😞
So here's the straight dope:
To handle the case in which the intended audience field has embedded commas (as with an LDAP DN), we added a new attribute to the audience element, "parse". It takes a string, either "string" or "list". If the element is not present it defaults to "list". If the element is "string" then the value is just treated "as-is".
To use it , try syntax like this:
<GenerateJWT name='JWT-1'> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PrivateKey> <Value ref="private.key"/> <Id ref='privatekey_id'/> </PrivateKey> <Subject ref="jwt_subject" /> <Audience ref='jwt_audience' parse='string'/> <ExpiresIn>8h</ExpiresIn> <OutputVariable>variable_name_here</OutputVariable> </GenerateJWT>
With parse='string', your case of "a=b,c=d,e=f" will result in an audience claim containing the string "a=b,c=d,e=f".
"aud" : [ "a=b,c=d,e=f" ], ...
It's still an array, because that's how audience works. But ... the value is as you want.
Yes, this was a limitation in the GenerateJWT policy - the audience was always parsed as a comma-separated list of values. The idea was that Audience could accept an array of values; the logic in the policy just inferred that any comma present in the string implied that the value was a list. This meant that an LDAP DN couldn't be represented in the audience claim of a JWT generated by the GenerateJWT policy.
The good news: Some time ago, We introduced a new attribute to eliminate that limitation. In fact your Apigee Edge install probably has the enhancement. The bad news: Unfortunately, and to my embarrassment, we did not document the fix. 😞
So here's the straight dope:
To handle the case in which the intended audience field has embedded commas (as with an LDAP DN), we added a new attribute to the audience element, "parse". It takes a string, either "string" or "list". If the element is not present it defaults to "list". If the element is "string" then the value is just treated "as-is".
To use it , try syntax like this:
<GenerateJWT name='JWT-1'> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PrivateKey> <Value ref="private.key"/> <Id ref='privatekey_id'/> </PrivateKey> <Subject ref="jwt_subject" /> <Audience ref='jwt_audience' parse='string'/> <ExpiresIn>8h</ExpiresIn> <OutputVariable>variable_name_here</OutputVariable> </GenerateJWT>
With parse='string', your case of "a=b,c=d,e=f" will result in an audience claim containing the string "a=b,c=d,e=f".
"aud" : [ "a=b,c=d,e=f" ], ...
It's still an array, because that's how audience works. But ... the value is as you want.
@jonesfloyd - somehow we missed documenting this change.
ref: b/74601316
Thanks, Dino! Filed doc ticket b/123711233.
Thanks @Dino-at-Google, for your response
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |