Hi Team,
I have a JWT token which i want to verify and decode the token. In order to decide, i was wondering which API Proxy i can use first i.e. either Verify JWT Token or Decode JWT Token.
Thanks
Pratyush
First, let's clarify the nomenclature:
If you want to verify and decode, then use VerifyJWT.
If you want to decode a JWT without verification, use DecodeJWT.
Take care when Decoding a JWT without verification. Here's why: The claims in a JWT are signed, which means any system that receives the JWT can verify the signature, and after successful verification, can trust that the claims are bona-fide, and have been asserted by the signing party (in other words, the holder of the signing key). If a system (or app) that receives a JWT merely decodes the JWT to obtain the claims, the receiving system has not verified that the claims in the JWT are bona-fide. Therefore that system must treat those claims as untrusted. There are good reasons for decoding a JWT without verifying the claims, which is why we have a policy to allow it! But you need to take care.
Why would you build a proxy that would decode a JWT but NOT verify its claims? Normally, you wouldn't. In most cases it's NOT decode-and-dont-verify; it's decode-and-then-later-verify. Some examples of when this might be a good idea:
Some implications and rules to follow:
If any of this is not clear, Apigee experts or experts that work for partners of Apigee can help coach you through these choices. Contact us, either directly through your account rep (if you know that person), or through the web form, and we can have a conversation.
It seems you have created two separate proxies for verify and decode of JWT token. I would suggest not to go for separate proxies if you don't have the requirement of separate requirements. I would suggest using both in the same proxy. It is a good practice to verify first and then decode.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |