This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I set the Authorization header?

Posted on 04-12-2017 02:29 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm trying to use @Dino's https://github.com/apigee/iloveapis2015-jwt-jwe-jws/blob/master/jwt_signed to set a JWT token when calling out a service. I tried the below two approaches but I don't see the Authorization header at all in the raw request logs of the receiving service. How can I set the jwt_jwt variable value into the Authorization header?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Jwt-Token">
    <DisplayName>Assign Jwt Token</DisplayName>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Authorization">{jwt_jwt}</Header>
        </Headers>
        <QueryParams/>
        <FormParams/>
    </Add>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" name="Set-JWT-Token-Header">
    <DisplayName>Set JWT Token Header</DisplayName>
    <Properties/>
    <ResourceURL>jsc://SetJwtTokenHeader.js</ResourceURL>
</Javascript>

SetJwtTokenHeader.js:

var jwtToken = context.getVariable("jwt_jwt");
context.setVariable("request.header.Authorization", jwtToken);
0 3 8,125
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
omidt
Staff
Reply posted on --/--/---- --:-- AM

Where in the flow have you tried attaching these policies? This should work if attached to the request flow.

Please try the Assign Message policy with a <Set> instead of the <Add>. It's also good practice to remove elements you don't need (e.g. <QueryParams/> and <FormParams/>). If you're still not observing the expected result, please try temporarily hardcoding a value for the header.

I suggest using the trace tool instead of your backend logs to better understand what is going on. Are you seeing the jwt_jwt variable being set and accessed?

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to omidt
Reply posted on --/--/---- --:-- AM

Yes - the jwt_jwt variable should be set when you use the callout policy like this: 

<JavaCallout name='JWT-Create-RS256' >
  <Properties>
     ...
  </Properties>


  <ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName>
  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.5.jar</ResourceURL>
</JavaCallout>

That step will SET the jwt_jwt variable, which will then be available in subsequent steps.

It could be a problem with policy ordering. If you show us a screenshot of the trace for a request, we might be able to tell if you have your policies ordered in a way that will allow things to work as you expect.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Turns out it was due to the actual request, to the downstream receiving service, being in the <Request> part of the PostFlow. Once the actual request was moved to the <Response> part of the PostFlow, it could see the headers that were set and they were sent with the rest of the payload. Something about the way apigee holds these values in context.

0 Likes