This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Open ID Connect and Apigee

Posted on 01-29-2020 05:40 AM
shailendrasingh
New Member
Reply posted on --/--/---- --:-- AM

Dear Team,

I am unable to understand below line, can someone help, Its totally new to me ?

APIs are configured as a relying party on an OpenID Connect platform,

and how one can inspect and verify the OpenID Connect Identity.

Regards,

Shailendra Singh

Solved Solved
0 4 910
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

how one can inspect and verify the OpenID Connect Identity.

OpenID Connect defines a protocol through which an Open ID Connect provider can issue an ID Token and an access token to a user.

The ID token is a JWT, signed with the provider's private key. Any party that has access to the provider's public key can verify the signature on the JWT and then inspect and rely upon the assertions or claims in the signed JWT. Typically the provider publishes a well-known JWKS endpoint through which public keys may be downloaded.

You can configure Apigee to verify the JWT through the JWKS via the VerifyJWT policy.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

how one can inspect and verify the OpenID Connect Identity.

OpenID Connect defines a protocol through which an Open ID Connect provider can issue an ID Token and an access token to a user.

The ID token is a JWT, signed with the provider's private key. Any party that has access to the provider's public key can verify the signature on the JWT and then inspect and rely upon the assertions or claims in the signed JWT. Typically the provider publishes a well-known JWKS endpoint through which public keys may be downloaded.

You can configure Apigee to verify the JWT through the JWKS via the VerifyJWT policy.

Jump to Solution

Posted on --/--/---- --:-- AM
shailendrasingh
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

Thank you for your response, if I have to implement above I can do following :

Parse the JWT to extract the exp: nbf and iat properties to determine if the token is still valid

and

Using the JKWS URL in the OpenID Connect configuration, fetch the signing key to verify the JWT signature and parameters

Once signature is verified, let further processing happen.

Regards,

Shailendra Singh

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to shailendrasingh
Reply posted on --/--/---- --:-- AM

If you use VerifyJWT and specify the JWKS URI, the VerifyJWT policy :

  • checks the signature on the JWT
  • checks the validity times (nbf, iat, exp, if they exist)
  • sets context variables to hold all the claims.

VerifyJWT can also verify other claims in the JWT, like issuer, subject, and audience. Check the documentation for full information.

You don't need to "manually" parse the JWT or "manually" check the exp, iat, nbf claims.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
shailendrasingh
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you @Dino-at-Google

Jump to Solution
0 Likes