how to use custom jar for token validation

Hi,

We have our own Authorization server which generates tokens, we do not want to store any tokens in Apigee, when a request comes in with a token we want to use our custom jar to

  • validate AuthTokens
  • extracting identity and authorization data.

We plan to use the identity extracted out of the token to perform an apikey validation in apigee ( client id set up in apigee is an exact match to the client id set up in our authorization system, that way we can track the requestor.

We do not want to use the service callout as it may have performance impact.

What are the steps i need to follow to achieve the above.

Thanks,

Vednath

0 3 250
3 REPLIES 3

What do the tokens look like?

Are they JWT?

If so, you can use the built-in VerifyJWT policy. You don't need a custom jar to do this.

The policy will validate the signature on the token, validate the timestamps (nbf and exp), and then extract the claims into context variables. Then you can call VerifyApiKey on the client_id claim that was extracted from the JWT.

If your tokens are not JWT, if they are some non-standard format for token, then... you should use JWT.

They are OAuth tokens. They are not JWT. Is there is there any way we can add external/custom jar from which we can invoke method to validate that token

Thanks,

Vednath

If they are externally-generated OAuth tokens, you have these obvious options:

- import the token and validate as normal with OAuthV2/VerifyAccessToken

- use a ServiceCallout to connect to a validation endpoint exposed by the remote issuing party

- use a custom jar.

Is there is there any way we can add external/custom jar

Yes, the extension method is called "Java callouts". Check the documentation. I would advise against doing this if you can avoid it.