{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • General /
avatar image
0
Question by Shirish Padalkar · Feb 11, 2020 at 03:52 PM · 54 Views apigee edgeproxyauthenticationauthroization

Trust between Apigee edge and API Provider,Establishing trust between Api Proxy and API provider using JWT

I understand that Apigee edge can perform auth with client using multiple ways including OAuth 2, JWT and API keys. However, there seems to be a lack of information on how to do the auth between Apigee edge and API provider.

For example, my existing API provider accepts the JWT token signed by a specific issuer. My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?

There are a few other questions on the community site around this, but the answer seems to be mutual TLS which does not work in our case. What are the typical solutions for such scenarios?

Thanks.

screen-shot-2020-02-11-at-104025-am.png (16.4 kB)
screen-shot-2020-02-11-at-104025-am.png (16.4 kB)
Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

  • Sort: 
avatar image
0

Answer by Siddharth Barahalikar   · Feb 11, 2020 at 05:07 PM

In short, mutual TLS is the recommended approach.

My question is, can Apigee edge generate a signed JWT and forward it to API provider where it can verify JWT locally using JWKS?

Yes, it can be done, Apigee has various OOTB JWT policies to do it.

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Shirish Padalkar · Feb 11, 2020 at 05:10 PM 0
Link

Can you please point me to some documentation around it?

Thanks.

avatar image Siddharth Barahalikar Shirish Padalkar   · Feb 11, 2020 at 05:13 PM 0
Link

https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview

avatar image
0

Answer by Dino-at-Google   · Feb 12, 2020 at 12:52 AM

You can use GenerateJWT within your API Proxy to generate a signed JWT.

To make that work, you will need a shared secret for HS* algorithms, or a private key for RS*, PS* or ES* algorithms. Usually I would suggest storing these kinds of secrets in the encrypted KVM.

If you want Apigee to expose the JWKS endpoint also, this post may help you:

https://community.apigee.com/articles/77280/exposing-jwks-from-apigee.html

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

129 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Not able to access proxy created from Browser/Curl 1 Answer

short auth code from authorize request 2 Answers

Apigee to local weblogic http application integration 2 Answers

Proxy to MongoDB Atlas timesout 2 Answers

Every alternate request to proxy is failing 0 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges