Hello,

I've a question regarding validation of externally generated JWT tokens, and what support does the apigee platform offer for this with build-in policies.

From the apigee documentation I understand that apigee should be able to validate JWT tokens issues by identity providers external to apigee. And I keep seeing mentions of the OAuth2 policy with the VerifyAccessToken operation. But I don't really understand if this is meant to be used for external tokens. I've searched the documentation and didn't find any mention of other possible validation configurations, besides <Scope> which I will need, but I would also be expecting other standard ones like :

- public key (either the actual value of the key, or a url where the key can be retrieved)

- issuer: a URI that identifies the identity provider that issued the token

- audience: the end recipient of the call

Does the OAuth2 policy, or any other policy offer this sort of configuration and that will validate my JWT token?

While browsing the apigee forums I did come across this thread: where another user does the exact kind of validation I need. Especially the answer that Dino gave.

Considering that the OP user needed to create a custom policy in java with the configurations mentioned in Dino's answer, is it safe to assume that apigee does not offer built-in support for validation of that kind?

Thank you, and I anxiously await your answer.

Kind regards, and have a good one.

Dan