Decode Apigee JWT in our java Backend API

raghav_pn
Participant I

Hi,

I am using Generate JWT policy in Apigee but I need to decode the JWT in out backend api.Can I use the "Nimbus Jose" library in our code to decode it?.I don't want to call Apigee to decode the same or java callout policies.Much appreciated if you could refer any links.

0 5 720
5 REPLIES 5

Hi @Raghav,

Just for my curiosity, why do you not want to decode the JWT policy with in Apigee edge since it is generated by Apigee Edge?

Hi @Kuldeep,

Already we are facing latency issues while calling other APIs.If decode policy of Apigee adds,for a say 200ms also , we cannot bare it. To minimise this delay, we thought of doing the decode logic at out backend layer.One more reason is for security purpose since we have LB in between Apigee and our Api.

Yes, you can of course decode a JWT generated by Apigee using any compliant JWT library.

If you just want to decode it, and not verify it, then you probably don't even need a library to do it.

Just split the token by dots, then base64-decode the header and payload, and then JSON.parse the same. But if you don't mind the dependency on the nimbus library, then you can use the nimbus library to do the decoding.

Thanks Dino.So shall i verify the issuer as well using nimbus library?

Possibly! There is a getIssuer() method I think on the JWSClaimsSet object.

You can check any other claims too. You need to choose what you want to check.

The way I think about it:

  1. verify - the signature against the private key or JWKS that you have.
  2. validate - that the valid times (nbf, exp), if they exist, allow the JWT to be considered valid
  3. Check - the claims in the JWT against expected values. For example, in some cases, your app may require a specific issuer. Or, in some cases, your app may require that the expiry be "no more than 300 seconds from now". Or your app may require that a set of valid roles be claimed in the payload. And so on. You have to decide what claims are important to check. You should only check claims after the signature is verified, and the timestamps allow the JWT to be valid. If either of those prior steps fail, then you should discard the JWT.