This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to use OpenID Connect with Apigee API gateway

Posted on 01-20-2016 12:36 AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi guys, can we use OpenID Connect with Apigee API gateway. If yes, how?

Any other info on this is appreciated

@Anil Sagar

Thanks.

Solved Solved
3 8 5,036
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

oh, yes! Using Apigee Edge, You can validate JWT (id_token's) that are generated from an OpenID Connect IdP, OR using Edge you can *implement* an OpenID Connect provider. The former requires a custom Java callout policy in Apigee Edge. Implementing an OpenID Connect provider requires a set of proxies that provide the necessary logic for all the interactions involved in OpenID Connect.

[Edit: ** As of January 2018, there are JWT policies builtin to all current versions of Apigee Edge. You no longer need a custom Java callout. ]

For more details on the generation and validation of JWT, see the source code and test scripts on this repo:

https://github.com/apigee/iloveapis2015-jwt-jwe-jws

(pull requests welcomed and gladly accepted)

@Vinit Mehta and I will be doing a Webinar on JWT in the coming weeks - look for an announcement on that, here on the community.

Here is a screencast describing how to use Edge to expose an OpenID Connect provider.

Any other questions?

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

oh, yes! Using Apigee Edge, You can validate JWT (id_token's) that are generated from an OpenID Connect IdP, OR using Edge you can *implement* an OpenID Connect provider. The former requires a custom Java callout policy in Apigee Edge. Implementing an OpenID Connect provider requires a set of proxies that provide the necessary logic for all the interactions involved in OpenID Connect.

[Edit: ** As of January 2018, there are JWT policies builtin to all current versions of Apigee Edge. You no longer need a custom Java callout. ]

For more details on the generation and validation of JWT, see the source code and test scripts on this repo:

https://github.com/apigee/iloveapis2015-jwt-jwe-jws

(pull requests welcomed and gladly accepted)

@Vinit Mehta and I will be doing a Webinar on JWT in the coming weeks - look for an announcement on that, here on the community.

Here is a screencast describing how to use Edge to expose an OpenID Connect provider.

Any other questions?

Jump to Solution

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to DChiesa
Reply posted on --/--/---- --:-- AM

thanks for the upvote, @JennyB .

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
david_ryan
New Member
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino - Has there been any more discussion or updates on this topic? I am very interested to hear of any other use cases.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to david_ryan
Reply posted on --/--/---- --:-- AM

Hi David - I've been discussing and using JWT, inside Apigee Edge, in a number of different scenarios with different customers. One retailer is using an outside system to dispense signed JWT and wants Apigee Edge to validate them . Multiple healthcare firms are using Apigee Edge to dispense JWT based on their own internal authentication server. Other companies are looking at mediating between externally-generated JWT and native opaque tokens in Apigee Edge.

So, yes, lots of interest and activity in JWT.

Do you have a specific question? How can I help you?

Also, have you been working with @sarthak ? He and I communicate regularly on JWT use cases.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino I want to verify JWT token at Apigee proxy end.

I tried to create java callout policy(please find the attachment) using test scripts provided in this repo https://github.com/apigee/iloveapis2015-jwt-jwe-jws. Rather than building, I used the jar provided in the repo itself.

I am getting "Failed to instantiate the JavaCallout Class com.apigee.callout.jwtsigned.JwtParserCallout" error.

javacalloutpolicyscreenshot.png

decompiler-results-of-jar-file.png

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hi - I looked quickly, and just from the screenshot of the java callout policy... it seems you may be missing some JAR dependencies. You need to have all the JARs in the apiproxy/resources/java directory, from that github repo, uploaded with the apiproxy.

The "failed to instantiate" can occur if you don't include those dependent jars.

This is really a new question, though. In the future, please ask this kind of thing as a new question ! instead of burying it in the comments of an old question.

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Thanks @Dino

It worked for me. Only thing is that the JAR in apiproxy/resources/java directory is returning success even for a wrong JWT token.

I will try to make necessary changes in the code, upload a new jar and verify.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

yep

the policy doesn't throw an exception or set the flow into Fault status. You need to use a Condition in your flow to test for jwt_error .

Jump to Solution
0 Likes