Verifying Auth0 | APIGEE Edge - Need Guidance

xenonivybridge · 07-09-2020 08:50 AM

Hi All,

I understand that we can use Verify JWT policy to validate the Auth0 token. We have 2 envs namely DEV and PRD which uses different audiences.

Is it possible to use different JWT tokens for different proxy endpoints? I am just novice trying to get hold of APIGEE.

This would help to switch the verify JWT option depending on DEV and PRD

It would be great if veterans can guide me on the same.

dchiesa1

Yes, you can use VerifyJWT to verify different tokens using different JWKS.

First, VerifyJWT will work to verify the signature on a JWT, using the JWKS you provide, like this:

<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://whatever.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
</VerifyJWT>

If you want to ALSO verify that the audience in the JWT holds a particular value, then do this:

<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://whatever.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
    <Audience>hard-coded-audience-value-to-verify</Audience>
</VerifyJWT>

if you have different audiences, then you can verify that the audience claim in the JWT holds the same value as a "context variable" in Apigee. To do this, you should have previously loaded the context variable with the expected value of the audience. This configuration looks like this:

<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://whatever.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
    <Audience ref='context_variable_here'/>
</VerifyJWT>

A good approach is to store the audience in an environment-specific (DEV, PRD) KeyValueMap in Apigee, and load it with the KeyValueMapOperations policy, prior to calling VerfyJWT.