Hi just wondering how apigee protects backend if JWT token ever gets compromised(assuming token is still not expired). How do generally we should handle those situations?
If you use a JWT as a Bearer token, then it is a ticket-to-ride. According to convention, systems should grant access to any party that presents that token. In that way, the token is like cash money; if you hold the cash, then you can spend it. You don't have to prove it's "your money". You just hand it over and a store or seller will grant you rights based on your possession of the cash. (a token is unlike cash money in that a token can be re-used, presumably for many different requests, while cash can be spent once. But i hope the partial analogy works for you).
The practice of using OAuth 2.0 Bearer tokens, and the exposure and risk associated to token leakage, is independent of whether you use Apigee. A leaked or compromised Bearer token... means the holder can now impersonate the original holder. So... take care not to allow your tokens to leak! That means doing the usual things:
All of this applies whether or not the token is a JWT or an opaque token. These risks happen if the token is used as a Bearer token.
What if you want to protect yourself, or your system, further? There are some approaches.
More resources
what happens if your house key is stolen? it's bad 🙂
it depends on your flow, who's your clients, do you take other security barriers for your API access - for example, if JWT gets stolen, but you require mTLS, the token is worthless, etc. I don't think Apigee need to provide some extra layer for specific case like this, you need to make sure tokens will not get stolen on th way
Before token issuance we presume you generally onboard the client using dynamic client registration/some kind of auto onboard process.
During the process if you can capture some metadata (cert domain name ,client ip etc) and add it to the custom variables as part of the onboard which can help you to identify the client.
1. For public client use mTLS + validate certificate domain name & certificate revocation etc on web authentication layer
2.On payload have client do sign payload as a Detached JWS feature(https://datatracker.ietf.org/doc/html/rfc7515#appendix-F) if possible (apigee supports https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview) & you can validate against client jwks uri where they can publish the public certs for you to validate..
or some kind of alternate via HMAC (https://docs.apigee.com/api-platform/reference/policies/hmac-policy) this requires shared key..
3. Once above two are done issue a short lived (15 min jwt/jwe - depends on preference)
4.While responding back you can even sign the response back to the client where they can validate against your jwks uri.
Take precautions before publishing api..
Good Luck.