Verification of a JWT is an authorization process. It assumes that the JWT presented has been issued to an authenticated client (within the confines of the token’s validity period). Thus, JWT verification concerns itself with ensuring that the client is authorized to access the protected resource and that the JWT has been signed by a verifiable and approved identity provider.
You will now configure a new API to use the Validate JWT policy to verify a presented JWT before allowing access to the backend service, as follows:
- Create a new patient-jwt-information REST API proxy using the information provided in Table 7.11:
Table 7.11 – JWT Verification Proxy configuration
Click the Save button after making the modifications.
2. Open the Gateway tab. Drag and drop Set Variable and Validate JWT policies in front of the Invoke policy as per the following screenshot. Also, implement a Default catch flow to handle any JWT verification failures. Drag and drop a GatewayScript policy on the Default catch block. Rename each policy’s Title property as per Figure 7.31:
Figure 7.31 – JWT verification message processing flow
3. Set the set-verification-jwk policy’s property values as per Table 7.12. Click the Add action button to set these values.
Table 7.12 – set-verification-jwk property values
4. Set the jwt-validate policy’s property values as per Table 7.13:
Table 7.13 – jwt-validate property values
5. Lastly, set up a default catch block to handle any JWT verification errors. Set the JWT verification error in the message response body. Copy the code named jwtverification-errorresponse.js from the GitHub repository into the set-error-response policy:
var errorName = ‘JWT Validation Error’;
var errorMessage = context.get(‘jwt-validate.error-
message’);
var errorResponse = {
“name”: errorName,
“message”: errorMessage};
context.message.header.set(‘Content-
Type’,”application/json”);
context.message.body.write(errorResponse);
6. Save and publish your API. (Use the toggle facility for publishing to the Sandbox catalog.)
This completes the configuration of your patient-jwt-information API.
Having completed this proxy configuration, let’s test the JWT verification process. You generated your JWT in the last part of the JWT Generation section, which was a while ago (remember that in your JWT generation configuration, you have set the validity period as 300 seconds). Hence, before testing the verification of the JWT, you will want to generate a new JWT. Refer to Figure 7.31 for the steps to generate a new JWT. Once you have generated the new JWT, use it in the Test tab of your patient-jwt-information proxy to send a verification request. Refer to Figure 7.32. You should get a successful response.
Figure 7.32 – JWT verification successful request
Wait for around 5 minutes and execute the same test again. You should receive a JWT validation error, as shown in Figure 7.33:
Figure 7.33 – JWT verification failure
You just learned about the comprehensive support for JWT in the APIC framework. The APIC framework provides the ability for JWT generation and JWT verification. These facilities can be used independently of each other. There might be cases where you will want to use the JWT generation capabilities of your organization’s central identity provider. That is a perfectly acceptable use case. In such scenarios, you will simply use the Validate JWT policy in your API proxy to validate the JWT.
In the last few sections, you learned in detail about the techniques for Basic authentication (LDAP and custom repository), Client ID (API key), OAuth, OIDC, and JWT policies to secure your APIs. The following section will briefly describe the many capabilities of APIC that you can employ to secure your APIs through additional methods.
Leave a Reply