how to verify the jwt token using HSA256 Algoritham

Hi all,

I have a jwt token genereated from a non-secure authentication url.

Now I have to verify whether it is valid and extract its expiry time by decoding it.

Guide me how to do it using a Javacallout policy vs Verify JWT token policy

0 2 1,127
2 REPLIES 2

Hi @honey P,

You can use `VerifyJWT` policy to validate JWT token.

I tested and validated one JWT token generated on this link - http://jwtbuilder.jamiekurtz.com/

using `HS256` algorithm using below `VerifyJWT` policy. Make changes wherever necessary like secret key, subject, issuer, aud etc.


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1">
    <DisplayName>Verify JWT-1</DisplayName>
    <Algorithm>HS256</Algorithm>
    <Source>authn.jwt</Source>
    <SecretKey>
        <Value ref="private.key">qwertyuiopasdfghjklzxcvbnm123456</Value>
    </SecretKey>
    <Subject>jrocket@example.com</Subject>
    <Issuer>Online JWT Builder</Issuer>
    <Audience>www.example.com</Audience>
</VerifyJWT>

above policy expects {authn.jwt} variable, which has been extracted using ExtractVariable policy used before verifying JWT (refer attached proxy bundle for complete code); So pass your JWT token as header in this format Authorization:Bearer {jwt}.

Also note, above policy does not check additional claim, if you wish, you can use more properties mentioned on this documentation - https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#additionalclaimsclaim

Last but not the least - I have attached proxy bundle that I used to test this, you can refer this - 68558-v1-rev2-2019-05-09.zip


@Kuldeep Bhati : Thank you much. I have gone through your code and its working.

Also I would like to know how to implement it via Javacallout. I'm looking for a jar file (jwt-signed-edge-callout.jar)that I can use in my Javacallout policy that has below 4 properties

<Properties>

<Property name="algorithm">HS256</Property>

<Property name="jwt">{token}</Property>

<Property name="certificate">{Certificate}</Property>

<Property name="claim_iss">{CliamIssuer}</Property>

<Properties>