How to use the jwt_signed/validate calls in my proxy?

I want to validate the JWT token passed to my proxy using the jwt_signed/validate-hs256 endpoint. Should I just be making a ServiceCallout from my proxy using a LocalTargetConnection?

1 4 4,533
4 REPLIES 4

Not applicable

Typically you would include a Java callout policy that supplies the required information like the secret_key, jwt token, claims etc and the java callout code parses and validates the token setting certain flow variables to indicate the outcome of the verification.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout name="JWT-Parse-HS256">
    <Properties>
        <Property name="algorithm">HS256</Property>
        <Property name="jwt">{request.formparam.jwt}</Property>
        <Property name="secret-key">{request.formparam.key}</Property>
        <!-- verify these claims -->
        <Property name="claim_sub">http://dinochiesa.net</Property>
        <!-- <Property name="claim_iss">http://dinochiesa.net</Property> -->
        <Property name="claim_aud">{apiproxy.name}</Property>
        <Property name="claim_shoesize">9</Property>
    </Properties>
    <ClassName>com.apigee.callout.jwtsigned.JwtParserCallout</ClassName>
    <ResourceURL>java://jwt-signed-edge-callout.jar</ResourceURL>
</JavaCallout>

Could you share the jwt-signed-edge-callout.jar file

Hi @honey P,

You dont necessarily have to use JavaCallout to verify JWT, you can use

https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy

Also, I have added an answer to your question (similar), can refer here -

https://community.apigee.com/questions/68558/how-to-verify-the-jwt-token-using-hsa256-algoritha.html

Ha ha, I guess I should look before I jump.

I understand how its working now. I added the JavaCallout to my proxy and adjusted Properties etc, then follow up with RaiseFault with condition.

<Condition>(jwt_isValid = false)</Condition>