Trust between Apigee edge and API Provider,Establishing trust between Api Proxy and API provider using JWT
I understand that Apigee edge can perform auth with client using multiple ways including OAuth 2, JWT and API keys. However, there seems to be a lack of information on how to do the auth between Apigee edge and API provider.
For example, my existing API provider accepts the JWT token signed by a specific issuer. My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?
There are a few other questions on the community site around this, but the answer seems to be mutual TLS which does not work in our case. What are the typical solutions for such scenarios?
Thanks.
Answer by Siddharth Barahalikar
·
Feb 11, 2020 at 05:07 PM
In short, mutual TLS is the recommended approach.
My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?
Yes, it can be done, Apigee has various OOTB JWT policies to do it.
Can you please point me to some documentation around it?
Thanks.
Answer by Dino-at-Google
·
Feb 12, 2020 at 12:52 AM
You can use GenerateJWT within your API Proxy to generate a signed JWT.
To make that work, you will need a shared secret for HS* algorithms, or a private key for RS*, PS* or ES* algorithms. Usually I would suggest storing these kinds of secrets in the encrypted KVM.
If you want Apigee to expose the JWKS endpoint also, this post may help you:
https://community.apigee.com/articles/77280/exposing-jwks-from-apigee.html
