Trust between Apigee edge and API Provider,Establi...

shirish-padalka · 02-11-2020 07:52 AM

I understand that Apigee edge can perform auth with client using multiple ways including OAuth 2, JWT and API keys. However, there seems to be a lack of information on how to do the auth between Apigee edge and API provider.

For example, my existing API provider accepts the JWT token signed by a specific issuer. My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?

There are a few other questions on the community site around this, but the answer seems to be mutual TLS which does not work in our case. What are the typical solutions for such scenarios?

Thanks.

sidd-harth

In short, mutual TLS is the recommended approach.

My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?

Yes, it can be done, Apigee has various OOTB JWT policies to do it.

shirish-padalka

Can you please point me to some documentation around it?

Thanks.

sidd-harth

https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview

dchiesa1

You can use GenerateJWT within your API Proxy to generate a signed JWT.

To make that work, you will need a shared secret for HS* algorithms, or a private key for RS*, PS* or ES* algorithms. Usually I would suggest storing these kinds of secrets in the encrypted KVM.

If you want Apigee to expose the JWKS endpoint also, this post may help you:

https://community.apigee.com/articles/77280/exposing-jwks-from-apigee.html

Trust between Apigee edge and API Provider,Establishing trust between Api Proxy and API provider using JWT