Auth0 - Verify JWT | APIGEE Edge | Multiple Envs
Hi All,
I understand that we can use Verify JWT policy to validate the Auth0 token. We have 2 envs namely DEV and PRD which uses different audiences.
Is it possible to use different JWT tokens for different proxy endpoints? I am just novice trying to get hold of APIGEE.
This would help to switch the verify JWT option depending on DEV and PRD
It would be great if veterans can guide me on the same.
Answer by Dino-at-Google
·
Dec 08, 2020 at 08:08 PM
Is it possible to use different JWT tokens for different proxy endpoints? I am just novice trying to get hold of APIGEE.
Yes, why not?
The VerifyJWT policy allows you to verify a JWT. At a minimum, that policy checks the following things on the inbound JWT: validity times (nbf, exp, and optionally iat), and the signature against the verification key.
Optionally, you can specify in the VerifyJWT policy additional things to check or validate. For example, you can configure VerifyJWT to check that there is an "iss" claim in the JWT, and that it has a particular value.
You can also configure the policy to check for a particular "aud" claim. Likewise with "sub" and other "well known claims." And you can perform similar checks for custom claims (claims with non-registered names).
For each check of a claim, you can specify a hard-coded value, or you can specify the name of a context variable that holds the value to check. For example:
<!-- check the audience claim for a hard-coded value --> <Audience>https://apigee.com/myproxy</Audience> <!-- check the audience claim for a referenced value ---> <Audience ref='expected-audience'/>
In the latter case the VerifyJWT policy will, at runtime, retrieve the value of the "expected-audience" variable , and then check that the audience in the JWT contains the value of that variable.
To make this effective, you need to intelligently set 'expected-audience' prior to the execution of the VerifyJWT policy. You can do this with an AssignMessage or by reading from a KVM or ... something else.
