This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to verify a JWT claim to have any one of multiple values?

Posted on 09-24-2020 04:46 AM
agrawalvaibhaw9
New Member
Reply posted on --/--/---- --:-- AM

My JWT Payload is :

{
  "iss": "https://d10l.eu.auth0.com/",
  "sub": "auth0|5a70e4e394059f5e7527d6b1",
  "aud": [
    "https://api.d10l.de",
    "https://d10l.eu.auth0.com/userinfo"
  ],
  "iat": 1518429498,
  "exp": 1518436698,
  "azp": "94YJaDlR5QDpaS7Em6aC02_gj6kA1Q_G",
  "scope": "profile"
}

My scope could be profile or id. Is there a way to configure Verify JWT to take any one of profile or id while asserting the claims?

This will verify the scope to have both profile and id. 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="true" enabled="true" name="verify-jwt-claims">
    <DisplayName>verify-jwt-claims</DisplayName>
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS ref="var"/>
    </PublicKey>
    <AdditionalClaims>
        <Claim name="scope" type="string">profile,id</Claim>
    </AdditionalClaims>
</VerifyJWT>

But is there a way to verify if the scope claim could be one of profile or id?

The other I could find was have a condition in the flow that

<Step>
                
                <Condition>
                NOT(
                       jwt.verify-jwt-claims.decoded.claim.scope == "profile"
                    OR jwt.verify-jwt-claims.decoded.claim.scope == "id"
                )
                </Condition>
                <Name>Raise-Fault-claims</Name>
            </Step>
0 7 766
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, using the RaiseFault Step with the Condition element after the VerifyJWT policy, the way you described, is the way to get what you want. Today there is no way to configure VerifyJWT, to check that a claim is one of a set of values.

We are looking into adding more flexibility into VerifyJWT, which would allow you to use a regular expression. Among other things, that would allow VerifyJWT to check that the value of a claim matches one of a set of values. (ref b/169068726). The proposed configuration is like this: 

    <AdditionalClaims>
        <Claim name="scope" type="string" regex='(profile|id)'/>
    </AdditionalClaims>

But that is just a proposal. It has not been implemented. For now you have to use that external Condition.

0 Likes

Posted on --/--/---- --:-- AM
vaibhawagrawal
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you Dino 🙂

Posted on --/--/---- --:-- AM
nomadoholic
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

@dchiesa1 so this never made it to Apigee Edge right? Because I can't find it in the documentation.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to nomadoholic
Reply posted on --/--/---- --:-- AM

Correct, it's not in Apigee Edge at this time. The change has not been merged into the platform at this point. 

Reference: b/216666569

0 Likes

Posted on --/--/---- --:-- AM
nomadoholic
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Any chance we can push that in or should I contact our KeyAccount?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

We are doing the verification of claims in our infrastructure.

We are doing jwks token signature validation through verify jwt policy and then the claims are available in the flow. We are using a javascript to match the claims, if that matches it will proceed else the javascript will throw the error and the error will be handled in fault rules.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

That works, too!

0 Likes