Does Apigee have out of the box support for JWT token generation and validation?

I have read elsewhere, "Apigee doesn’t have out of the box support for JWT token generation or validation."

Is this true?

If I want to handle JWT within Apigee Edge, how would I do it?

Solved Solved
0 5 967
1 ACCEPTED SOLUTION

As of January 2018, Apigee Edge has built-in support for JWT. There are three built-in policies:

  • GenerateJWT - generate an HMAC or RSA-signed JWT, with arbitrary claims, using a secret key or private key that you specify.
  • VerifyJWT - verify an HMAC or RSA-signed JWT, issued by anyone, with arbitrary claims, using a secret key or public key that you specify. (including a JWKS)
  • DecodeJWT - just base64-decode and JSON-parse the token. Don't verify the signature. Useful when extracting information out that will be required to verify the token. Eg, the extracting the key ID from the header.

You can read the docs here.

The JWT are currently in Beta, but will be "Generally Available" in a matter of weeks.

View solution in original post

5 REPLIES 5

As of January 2018, Apigee Edge has built-in support for JWT. There are three built-in policies:

  • GenerateJWT - generate an HMAC or RSA-signed JWT, with arbitrary claims, using a secret key or private key that you specify.
  • VerifyJWT - verify an HMAC or RSA-signed JWT, issued by anyone, with arbitrary claims, using a secret key or public key that you specify. (including a JWKS)
  • DecodeJWT - just base64-decode and JSON-parse the token. Don't verify the signature. Useful when extracting information out that will be required to verify the token. Eg, the extracting the key ID from the header.

You can read the docs here.

The JWT are currently in Beta, but will be "Generally Available" in a matter of weeks.

Hi Dino,

We have Apigee 4.18.01 version and have "beta" against the JWT policies(generate/verify/decode).

From which version of Apigee we have GA of JWT policies??

Thanks,

Purna.

18.05 OPDK

Not applicable

JTW with key is good and we have seen it working.

My requirement is to connect with Azure AAD with a appid and tenant id where Azure generate the tocken and we need to verify the JWT before allowing access to any of the API. Does APIgee supports this or not?

When asking a question, click "Ask a question" , instead of adding a question as an answer to an old question.

7233-ask-a-question.png