This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to exclude jti claim from JWT token generation

Posted on 07-19-2020 03:29 PM
sivaramappali
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello,

We have a use case of generating JWT tokens in Apigee with a private key, digest, digestAlgorithm as Additional Claims and x5c certificate as Additional Header and pass it to backend target for its validation and further processing of request.

Please see below for the policy configuration. 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT async="false" continueOnError="false" enabled="true" name="Generate-JWT">
    <DisplayName>Generate JWT</DisplayName>
    
    <Algorithm>RS256</Algorithm>
    
    <PrivateKey>
        <Value ref="private.privatekey"/>
    </PrivateKey>

    <AdditionalClaims>
        <Claim name="digest" ref="signData"/>
        <Claim name="digestAlgorithm" type="string">SHA-256</Claim>
    </AdditionalClaims>

    <AdditionalHeaders>
        <Claim name="x5c" ref="private.cert"/>
    </AdditionalHeaders>

    <OutputVariable>jwt-token</OutputVariable>

</GenerateJWT>

Resulting jwt token contains a "jti" claim which unfortunately is being rejected by backend target. Is there a way or workaround I can exclude the "jti" claim from token generation? Though I believe it should not be checked for by the backend target, unfortunately it is checking this and rejecting the tokens.

Thanks,

SivaRam Appali

0 0 204
Topic Labels
0 Likes
0 REPLIES 0