Creating JWT with comma seperated value in APIGEE

While creating JWT in APIGEE with Audience value , and if the audience value is comma seperated value we get a audience value as an array

if I pass audience value as :: a=b,c=d,e=f

the value in JWT generates is as below

aud : [

a=b,

c=d,

e=f

]

Rather than being in one line aud : "a=b,c=d,e=f"

Solved Solved
1 4 412
1 ACCEPTED SOLUTION

Yes, this was a limitation in the GenerateJWT policy - the audience was always parsed as a comma-separated list of values. The idea was that Audience could accept an array of values; the logic in the policy just inferred that any comma present in the string implied that the value was a list. This meant that an LDAP DN couldn't be represented in the audience claim of a JWT generated by the GenerateJWT policy.

The good news: Some time ago, We introduced a new attribute to eliminate that limitation. In fact your Apigee Edge install probably has the enhancement. The bad news: Unfortunately, and to my embarrassment, we did not document the fix. 😞

So here's the straight dope:

To handle the case in which the intended audience field has embedded commas (as with an LDAP DN), we added a new attribute to the audience element, "parse". It takes a string, either "string" or "list". If the element is not present it defaults to "list". If the element is "string" then the value is just treated "as-is".

To use it , try syntax like this:

<GenerateJWT name='JWT-1'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='privatekey_id'/>
  </PrivateKey>
  <Subject ref="jwt_subject" />
  <Audience ref='jwt_audience' parse='string'/>
  <ExpiresIn>8h</ExpiresIn>
  <OutputVariable>variable_name_here</OutputVariable>
</GenerateJWT>

With parse='string', your case of "a=b,c=d,e=f" will result in an audience claim containing the string "a=b,c=d,e=f".

"aud" : [ "a=b,c=d,e=f" ],
 ...

It's still an array, because that's how audience works. But ... the value is as you want.

View solution in original post

4 REPLIES 4

Yes, this was a limitation in the GenerateJWT policy - the audience was always parsed as a comma-separated list of values. The idea was that Audience could accept an array of values; the logic in the policy just inferred that any comma present in the string implied that the value was a list. This meant that an LDAP DN couldn't be represented in the audience claim of a JWT generated by the GenerateJWT policy.

The good news: Some time ago, We introduced a new attribute to eliminate that limitation. In fact your Apigee Edge install probably has the enhancement. The bad news: Unfortunately, and to my embarrassment, we did not document the fix. 😞

So here's the straight dope:

To handle the case in which the intended audience field has embedded commas (as with an LDAP DN), we added a new attribute to the audience element, "parse". It takes a string, either "string" or "list". If the element is not present it defaults to "list". If the element is "string" then the value is just treated "as-is".

To use it , try syntax like this:

<GenerateJWT name='JWT-1'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='privatekey_id'/>
  </PrivateKey>
  <Subject ref="jwt_subject" />
  <Audience ref='jwt_audience' parse='string'/>
  <ExpiresIn>8h</ExpiresIn>
  <OutputVariable>variable_name_here</OutputVariable>
</GenerateJWT>

With parse='string', your case of "a=b,c=d,e=f" will result in an audience claim containing the string "a=b,c=d,e=f".

"aud" : [ "a=b,c=d,e=f" ],
 ...

It's still an array, because that's how audience works. But ... the value is as you want.

@jonesfloyd - somehow we missed documenting this change.

ref: b/74601316

Thanks, Dino! Filed doc ticket b/123711233.

Thanks @Dino-at-Google, for your response