POC on JWT for generate and verify the JWT tokens

mb1531 · 03-13-2024 05:24 PM

We are trying to implement the JWT access token using OAuth V2, Currently we are struck on verify JWT access token.

Could you please assists us on the below questions:

on Generate JWT access token how can we implement the Client credentials Grant_type?
How can we validate verify the JWT if it is coming from the right JWT?

Thanks in Advance

dchiesa1

Hi!

Please refer to the prior thread you and I had on this 2 months ago.

https://www.googlecloudcommunity.com/gc/Apigee/To-fix-Generate-amp-VerifyJWTAccessToken-Policy-with-...

I provided a working example. It generates JWT-formatted access tokens, and also verifies them. The example still works. You can start from that and add in the elements you need for your purposes.

Also some further notes:

It is only in Apigee X and hybrid that the OAuthV2 policy supports operations GenerateJWTAccessToken and VerifyJWTAccessToken. These do not work on Apigee Edge.
(This note might save you a bunch of work.) The JWT-format access token is generally NOT something you want to use, or need to use, if you are using an Apigee gateway for both generation and verification of the token. There is no need for you to do this, normally. You should be using GenerateAccessToken and VerifyAccessToken - they work better, perform better, and are simpler to implement. Just saying "we have a standard to use JWT" is not a good enough reason to use GenerateJWTAccessToken and VerifyJWTAccessToken. Please consult with your security standards people if this is the case and persuade them that they do not need federated tokens like JWT if the issuer and validator are the same party.

Good luck!