This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

End to End From Edge to Backend Authorization and Authentication

Posted on 05-29-2019 06:38 AM
nathanaw
New Member
Reply posted on --/--/---- --:-- AM

Hi all, due to regulatory requirements, there is a need to do authorization and authentication End to End From Edge to Backend.

The client passes me a JWT token and it is verified at Apigee Gateway. How do I use this token to do an end to end authorization from gateway to my backend most systems?

Unique but real requirement. Please help.

Thank you very much in advance.

Nathan Aw (Singapore)

Solved Solved
0 2 152
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

How do I use this token to do an end to end authorization from gateway to my backend most systems?

A reasonable pattern is:

  • to verify the inbound JWT using the VerifyJWT policy. Check for the signer, the expiry, and any claims that might interest you.
  • generate a new JWT representing Apigee Edge, using the GenerateJWT policy. Embed as a claim in that policy the original inbound JWT. This is a jwt-within-a-jwt. The backend service can then
    • verify the outer JWT, checking the signature and issuer
    • extract the inner JWT and either verify THAT.
    • extract claims from the inner JWT, and use those claims and the claims from the outer JWT to make authorization decisions.

To make this happen your backend needs to be able to verify signatures on JWT. Fortunately this is not difficult to do in most languages.

Does this answer the question ?

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

How do I use this token to do an end to end authorization from gateway to my backend most systems?

A reasonable pattern is:

  • to verify the inbound JWT using the VerifyJWT policy. Check for the signer, the expiry, and any claims that might interest you.
  • generate a new JWT representing Apigee Edge, using the GenerateJWT policy. Embed as a claim in that policy the original inbound JWT. This is a jwt-within-a-jwt. The backend service can then
    • verify the outer JWT, checking the signature and issuer
    • extract the inner JWT and either verify THAT.
    • extract claims from the inner JWT, and use those claims and the claims from the outer JWT to make authorization decisions.

To make this happen your backend needs to be able to verify signatures on JWT. Fortunately this is not difficult to do in most languages.

Does this answer the question ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nathanaw
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you Dino at Google

Jump to Solution
0 Likes