Solved: Checking Multiple Audience in JWT using verify jwt...

akshayanand11 · 03-01-2019 01:14 PM

Can you please help me with small details , if we can verify array of audience value or multiple string value as audience coming in a JWT.I don't see any reference of it in JWT documentation and also I tried using multiple value , but policy always fails.

Do you know , how can I achieve this without writing custom code for validation of audience value received.

dchiesa1

There is a capability to specify a comma-separated array in the Audience field.

<VerifyJWT name='verifyjwt-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience>audience1,audience2</Audience>
</VerifyJWT>

If there is a string that includes a comma in the audience field, it will be parsed as multiple audiences, and the verification will check for each audience. It will fail if either of the audiences are absent in the token.

I believe this should work for you.

**There is one difficulty with this behavior. If you have an audience string that contains a comma, such as an LDAP DN, today there is no good way to verify the JWT in one step. I mean to say, if you do this:

<VerifyJWT name='verifyjwt-2'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience>cn=John Doe,dc=example,dc=com</Audience>
</VerifyJWT>

...then, the policy execution will interpret that audience as 3 distinct audiences. That's obviously not what you want when the audience is an LDAP DN.

But coming soon, there will be a way to say "don't parse this audience value as an array, even if it has a comma". The syntax for this forthcoming feature is:

<VerifyJWT name='verifyjwt-3'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience parse='string'>cn=John Doe,dc=example,dc=com</Audience>
</VerifyJWT>

This will be available within a couple weeks in the Apigee public cloud.

View solution in original post

dchiesa1

There is a capability to specify a comma-separated array in the Audience field.

<VerifyJWT name='verifyjwt-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience>audience1,audience2</Audience>
</VerifyJWT>

If there is a string that includes a comma in the audience field, it will be parsed as multiple audiences, and the verification will check for each audience. It will fail if either of the audiences are absent in the token.

I believe this should work for you.

**There is one difficulty with this behavior. If you have an audience string that contains a comma, such as an LDAP DN, today there is no good way to verify the JWT in one step. I mean to say, if you do this:

<VerifyJWT name='verifyjwt-2'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience>cn=John Doe,dc=example,dc=com</Audience>
</VerifyJWT>

...then, the policy execution will interpret that audience as 3 distinct audiences. That's obviously not what you want when the audience is an LDAP DN.

But coming soon, there will be a way to say "don't parse this audience value as an array, even if it has a comma". The syntax for this forthcoming feature is:

<VerifyJWT name='verifyjwt-3'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key'/>
  </PublicKey>
  <Audience parse='string'>cn=John Doe,dc=example,dc=com</Audience>
</VerifyJWT>

This will be available within a couple weeks in the Apigee public cloud.

dchiesa1

Did it work?

akanand

Hi @Dino-at-Google,

Yes this worked !!!

Checking Multiple Audience in JWT using verify jwt policy