Managing URLs as audience for verify JWT in different proxy deployments

Currently I have a bundle which should be deploying to 5 different environments. All the API calls are authenticated by JWTs from auth0. Few things about JWT token from auth0 are:

1. Auth0 doesn’t support multiple audiences. It’s also not possible to change the aud parameter via a rules and it likely wouldn’t be secure to do so.

2. Auth0 uses API identifiers as audience, i.e the URLS will be the audience.

Coming back to apigee, when I am trying to verify JWT, I am not able to hardcode any URL for audience as it will be different for each environment.

The audience in below code will be different for every environment,

<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
    <Issuer>https://hulk.auth0.com/</Issuer>
    <Audience>https://dev.marvel.com</Audience>
</VerifyJWT>
Kindly help me with this
Solved Solved
1 3 631
1 ACCEPTED SOLUTION

This is a common thing - people want policies to behave differently in different Apigee environments. There are two ways to deal with this:

  1. use a proxy template, and at the time of deployment, "expand" the template to include environment-specific values. This is the approach taken by the maven config plugin.
  2. Use environment-specific variables, perhaps stored in an environment-scoped KVM. Your idea for using a variable is an example of this approach.

    The VerifyJWT policy that uses this approach looks like this:

    <VerifyJWT name="JWT-Verify-RS256">
        <Algorithm>RS256</Algorithm>
        <PublicKey>
            <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/>
        </PublicKey>
        <Issuer ref='variable_containing_issuer'/>
        <Audience ref='variable_containing_audience'/>
    </VerifyJWT>
    	

    The ref= attribute is documented.

One limitation of VerifyJWT: currently the JWKS uri attribute must be hard-coded. It's not a variable. So ... if you need that uri to vary across environments, then you may need to use the first approach (templates that get filled at deployment time). We are lifting that limitation, but that change is not yet available.

Let me know if questions.

View solution in original post

3 REPLIES 3

@dino

Expecting the solution to be something like using a variable for the audience which will hold different values for different environments. Thanks in advance

This is a common thing - people want policies to behave differently in different Apigee environments. There are two ways to deal with this:

  1. use a proxy template, and at the time of deployment, "expand" the template to include environment-specific values. This is the approach taken by the maven config plugin.
  2. Use environment-specific variables, perhaps stored in an environment-scoped KVM. Your idea for using a variable is an example of this approach.

    The VerifyJWT policy that uses this approach looks like this:

    <VerifyJWT name="JWT-Verify-RS256">
        <Algorithm>RS256</Algorithm>
        <PublicKey>
            <JWKS uri="https://hulk.auth0.com/.well-known/jwks.json"/>
        </PublicKey>
        <Issuer ref='variable_containing_issuer'/>
        <Audience ref='variable_containing_audience'/>
    </VerifyJWT>
    	

    The ref= attribute is documented.

One limitation of VerifyJWT: currently the JWKS uri attribute must be hard-coded. It's not a variable. So ... if you need that uri to vary across environments, then you may need to use the first approach (templates that get filled at deployment time). We are lifting that limitation, but that change is not yet available.

Let me know if questions.

@dean Thanks a lot . I used the second method. its working like a charm.