Solved: JWT Policy

Report Inappropriate Content · 11-29-2015 04:55 AM

Is JWT policy in the road map of Apigee. I know we can achieve this by writing custom code policies as mentioned in the below thread. However, what I am looking for is the built-in support for the same. https://community.apigee.com/questions/9860/support-for-jwt-token.html

DChiesa

Hi @sajad deyargaroo

Sorry about the delay in responding. Yes, today there is no "built in" policy that does JWT verification in Apigee Edge. A JWT policy is absolutely on our roadmap. We haven't yet committed to an availability date for this.

Today, the way to do JWT generation or verification within Apigee Edge today is via custom callouts. This is the beauty of the code+configure model that Edge supports - for cases covered by the built-in policies, just use them. For other cases, either build a custom policy, or use a custom policy that someone else has built.

Along those lines, we have published several ways to produce or verify JWT in Edge, one in Javascript (which is linked in the question you referenced above), and one in Java, available on github. (I produced the Java version of the callout for Apigee's iloveapis 2015 conference that was held in San Jose in early October. )

The Java callout is written and implemented in Java, but does not require you to write any Java code in order to use it. There is one callout that supports signed JWT using shared or public/private keys (RSA), and another than does encrypted JWT, specifically for use with RSA encryption. The Java version performs much better than the Javascript version for signed JWT that use RSA keys. (4ms vs 400ms)

There are good Readme docs, and example API Proxy bundles that show how to use the callouts. They're very configurable and ready to be used in production.

So it's true that there is no standard policy in the policy picker that does JWT verification. On the other hand the open-source version of the policy is quite capable and powerful and well tested. It should fit your needs nicely.

View solution in original post

DChiesa

Hi @sajad deyargaroo

Sorry about the delay in responding. Yes, today there is no "built in" policy that does JWT verification in Apigee Edge. A JWT policy is absolutely on our roadmap. We haven't yet committed to an availability date for this.

Today, the way to do JWT generation or verification within Apigee Edge today is via custom callouts. This is the beauty of the code+configure model that Edge supports - for cases covered by the built-in policies, just use them. For other cases, either build a custom policy, or use a custom policy that someone else has built.

Along those lines, we have published several ways to produce or verify JWT in Edge, one in Javascript (which is linked in the question you referenced above), and one in Java, available on github. (I produced the Java version of the callout for Apigee's iloveapis 2015 conference that was held in San Jose in early October. )

The Java callout is written and implemented in Java, but does not require you to write any Java code in order to use it. There is one callout that supports signed JWT using shared or public/private keys (RSA), and another than does encrypted JWT, specifically for use with RSA encryption. The Java version performs much better than the Javascript version for signed JWT that use RSA keys. (4ms vs 400ms)

There are good Readme docs, and example API Proxy bundles that show how to use the callouts. They're very configurable and ready to be used in production.

So it's true that there is no standard policy in the policy picker that does JWT verification. On the other hand the open-source version of the policy is quite capable and powerful and well tested. It should fit your needs nicely.

API-Evangelist

Glad to know that there is an existing policy.Thankyou Dino for your help.

Few observations/changes required & may be helpful to be generic..

We are trying to implement JWT solution with box and looks like the version provided in github doesn't support it as is & needed to update of the existing code.

1.Currently it doesn't support kid(keyid) header.

2. Code uses custom claim as "claim_" & doesn't work for claim_box_sub_type.

3. Also we can't use latest library & have to use nimbus-jose-jwt-2.21 version.

4. Something to watch out for "jti" property to get populated as we have to pass as id instead of jti..

Ref:

https://box-content.readme.io/docs/app-auth

Will give more updates if we get successfully post it to box..still in progress.

Thanks for your help to Apigee community.

-Vinay

DChiesa

if you create a NEW question, I'll respond there. please use my name ( @Dino )

Report Inappropriate Content

The link github is leading to a 404 as of very recently. Was the project removed?

anilsr

@Mark Eccles

Yes, Recently we are moving projects between different orgs in github. You can access repo you are looking using the link here. Keep Us posted.

DChiesa

The original URL should be restored soon.

DChiesa

Update: See also: https://community.apigee.com/articles/49280/jwt-policies-in-apigee-edge.html