JWT Token generation

sunithabprasad · 06-01-2019 06:24 AM

1) Which component in Apigee , generates the JWT tokens? and are they stored in cassandra?

2) how can i get to see the details of this ?

3) is there an architecture diagram for Apigee that explains this?

dchiesa1

1) Which component in Apigee , generates the JWT tokens? and are they stored in cassandra?

We wouldn't say there is a "component" of Apigee Edge that generates JWT.

There is a POLICY that does this.

JWT are stateless. The JWT that you generate in your API Proxy are not stored anywhere.

2) how can i get to see the details of this ?

Just google "JWT Apigee"

3) is there an architecture diagram for Apigee that explains this?

Is it possible you are overthinking this? In my opinion, an architectural diagram wouldn't be particularly helpful explain how JWT work in Apigee Edge. Here's the short summary:

JWT are either signed or encrypted. Today you can use Apigee Edge to generate signed JWT, and in the future (soon) you will be able to use Apigee Edge to generate encrypted JWT.

To generate a JWT within an API Proxy, use the GenerateJWT policy. Specify the signing key, the subject, audience, and issuer; the expiry and other times; and the other claims you want in the JWT, as you wish.

Then, inject the JWT into the API response or, do whatever else you want to do with it.

There are screencasts and tutorials on this stuff too; you an search youtube for those.

sunithabprasad

Thank you.

so, if the JWT tokens are not generated by the platform, When we have the verify policy in the subsequent requests for the proxies -- is the JWT token validated against the info that is there in the token only? The validity period , etc...

had this question, as i saw a note to revoke , a blacklisted list of token is the customized solution you have.

If that is the case , in order to maintain the list of blacklisted tokens , don't we need to store them somewhere?

dchiesa1

so, if the JWT tokens are not generated by the platform, When we have the verify policy in the subsequent requests for the proxies -- is the JWT token validated against the info that is there in the token only? The validity period , etc...

Within Apigee Edge, use the VerifyJWT policy to validate any JWT, regardless of the issuer. In that policy configuration you specify the public key to use to verify the signature on the JWT. Or, provide the URI of the JWKS, the keyset that lists a set of public keys. (Example JWKS from Google) This takes care of the signature. The expiry and validity times (exp and nbf) are automatically validated. Also in the policy configuration you can specify the expected values of various claims in the JWT, such as audience, subject or issuer. You can also validate values of custom claims in the JWT.

had this question, as i saw a note to revoke , a blacklisted list of token is the customized solution you have.

I think this might be a question, but I'm not sure. If you are asking if Apigee Edge maintains a list of blacklisted JWT, the answer is no.

to maintain the list of blacklisted tokens , don't we need to store them somewhere?

Search the Apigee community for more information on this topic. Example: [1]