Currently I have a bundle which should be deploying to 5 different environments. All the API calls are authenticated by JWTs from auth0. Few things about JWT token from auth0 are:
1. Auth0 doesn’t support multiple audiences. It’s also not possible to change theaud
parameter via a rules and it likely wouldn’t be secure to do so.2. Auth0 uses API identifiers as audience, i.e the URLS will be the audience.
Coming back to apigee, when I am trying to verify JWT, I am not able to hardcode any URL for audience as it will be different for each environment.
The audience in below code will be different for every environment,
<VerifyJWT name="JWT-Verify-RS256"> <Algorithm>RS256</Algorithm> <PublicKey> <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/> </PublicKey> <Issuer>https://hulk.auth0.com/</Issuer> <Audience>https://dev.marvel.com</Audience> </VerifyJWT>Kindly help me with this
Solved! Go to Solution.
This is a common thing - people want policies to behave differently in different Apigee environments. There are two ways to deal with this:
Use environment-specific variables, perhaps stored in an environment-scoped KVM. Your idea for using a variable is an example of this approach.
The VerifyJWT policy that uses this approach looks like this:
<VerifyJWT name="JWT-Verify-RS256"> <Algorithm>RS256</Algorithm> <PublicKey> <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/> </PublicKey> <Issuer ref='variable_containing_issuer'/> <Audience ref='variable_containing_audience'/> </VerifyJWT>
One limitation of VerifyJWT: currently the JWKS uri attribute must be hard-coded. It's not a variable. So ... if you need that uri to vary across environments, then you may need to use the first approach (templates that get filled at deployment time). We are lifting that limitation, but that change is not yet available.
Let me know if questions.
@dino
Expecting the solution to be something like using a variable for the audience which will hold different values for different environments. Thanks in advance
This is a common thing - people want policies to behave differently in different Apigee environments. There are two ways to deal with this:
Use environment-specific variables, perhaps stored in an environment-scoped KVM. Your idea for using a variable is an example of this approach.
The VerifyJWT policy that uses this approach looks like this:
<VerifyJWT name="JWT-Verify-RS256"> <Algorithm>RS256</Algorithm> <PublicKey> <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/> </PublicKey> <Issuer ref='variable_containing_issuer'/> <Audience ref='variable_containing_audience'/> </VerifyJWT>
One limitation of VerifyJWT: currently the JWKS uri attribute must be hard-coded. It's not a variable. So ... if you need that uri to vary across environments, then you may need to use the first approach (templates that get filled at deployment time). We are lifting that limitation, but that change is not yet available.
Let me know if questions.
@dean Thanks a lot . I used the second method. its working like a charm.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |