How to set and retrive jwt from the authorization header.

Hi Team,

I have gone through jwt generation and verification tutorial. But as per this (https://jwt.io/introduction/) resource, the jwt needs to be set the authorization header.

Is the correct way to set the authorization header after generating the jwt?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Jwt-Token">
    <DisplayName>Assign Jwt Token</DisplayName>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Authorization">{jwt-variable}</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

Is this the correct way to retrieve and verify the jwt from the authorization header?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1">
    <DisplayName>Verify JWT-1</DisplayName>
    <Algorithm>HS256</Algorithm>
    <Source>request.header.Authorization</Source>
    <SecretKey>
        <Value ref="private.key"/>
    </SecretKey>
    <Subject>subject-subject</Subject>
    <Issuer>urn://apigee-edge-JWT-policy-test</Issuer>
    <Audience>audience1,audience2</Audience>
    <AdditionalClaims>
        <Claim name="additional-claim-name" type="string">additional-claim-value-goes-here</Claim>
    </AdditionalClaims>
</VerifyJWT>

Thanks,

Arun

0 3 2,312
3 REPLIES 3

sidd-harth
Participant V

If you are using the VerifyJWT policy, you can simply use <Source>jwt-variable</Source>

By default, this policy retrieves the JWT from the variable request.header.authorization. That tells the policy to looks for the JWT in the request Authorization header. If you want the policy to retrieve the JWT from a different place, use a different Source.

==

If you are transmitting the JWT somewhere, then I think you should use the Set element, and also add the Bearer prefix,

    <Set>
        <Headers>
            <Header name="Authorization">Bearer {jwt-variable}</Header>
        </Headers>
    </Set>

==

But these are two different things. You do not need to insert the JWT into the the Authorization Header in order to be able to verify it. You probably don't need both the VerifyJWT and AssignMessage policy. Be clear about what you want.

I was able to generate jwt but it is showing up in the html body instead of http headers in the browser developer tools.

reallydo-rev5-2019-03-14.zip

Also I'm getting this error when I try to verify the jwt.

fault
faultstring"Invalid token: policy(java.lang.NullPointerException)"detail
errorcode"steps.jwt.InvalidToken"

Your question is not quite sensible. Your comment just said "I was able to generate a JWT".

Are you trying to GENERATE a JWT, or VERIFY a JWT ?

You also said "it is showing up in the html body instead of http headers".

The JWT "shows up" where the client puts it. If you use postman, or curl, or some other client to send the request, then the JWT will be ... where the client code inserts it. That is under your control. If the JWT appears in the HTTP body, then... you're doing that. If you don't want that, don't do that. (Change the client).

The resource you mentioned, (https://jwt.io/introduction/) , isn't authoritative. a JWT is just a string. You are in control of your API. You can design your API to accept a JWT in the Authorization header. You can also design your API to accept a JWT in a different place - for example in the payload as a text/plain content-type.

If the client sends the JWT in the payload, then your Verify policy should look like this:

<VerifyJWT name='VJ-1'>
  <Algorithm>RS256</Algorithm>
  <Source>request.content</Source>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <Value> ... </Value>
  </PublicKey>
  ...

If the client sends the JWT in the Authorization header, then your Verify policy should look like this:

<VerifyJWT name='VJ-1'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <Value> ... </Value>
  </PublicKey>
  ...

In this latter case, the Source is implicitly the Authorization header.

If you are trying to GENERATE a JWT from within Apigee Edge, that's a different thing.

Please clarify.