I want to validate the JWT token passed to my proxy using the jwt_signed/validate-hs256 endpoint. Should I just be making a ServiceCallout from my proxy using a LocalTargetConnection?
Typically you would include a Java callout policy that supplies the required information like the secret_key, jwt token, claims etc and the java callout code parses and validates the token setting certain flow variables to indicate the outcome of the verification.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <JavaCallout name="JWT-Parse-HS256"> <Properties> <Property name="algorithm">HS256</Property> <Property name="jwt">{request.formparam.jwt}</Property> <Property name="secret-key">{request.formparam.key}</Property> <!-- verify these claims --> <Property name="claim_sub">http://dinochiesa.net</Property> <!-- <Property name="claim_iss">http://dinochiesa.net</Property> --> <Property name="claim_aud">{apiproxy.name}</Property> <Property name="claim_shoesize">9</Property> </Properties> <ClassName>com.apigee.callout.jwtsigned.JwtParserCallout</ClassName> <ResourceURL>java://jwt-signed-edge-callout.jar</ResourceURL> </JavaCallout>
Could you share the jwt-signed-edge-callout.jar file
Hi @honey P,
You dont necessarily have to use JavaCallout to verify JWT, you can use
https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy
Also, I have added an answer to your question (similar), can refer here -
https://community.apigee.com/questions/68558/how-to-verify-the-jwt-token-using-hsa256-algoritha.html
Ha ha, I guess I should look before I jump.
I understand how its working now. I added the JavaCallout to my proxy and adjusted Properties etc, then follow up with RaiseFault with condition.
<Condition>(jwt_isValid = false)</Condition>
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |