JWT (pronounced jot) is one of the methods of defining the identity information of a user/system (a client) in a JSON format. It is primarily used in authorization scenarios where its usage is employed to pass an authenticated client’s meta-information (identity and claims) to the server in a secure and verifiable format. JWT removes the burden of storage of an authenticated client’s information on the server in such a use case. Generally, without JWT, websites use cookies to pass an authenticated client’s access information to the server and rely on the server to store cookies on the server side. The use of cookies is discouraged for the reasons of privacy and security.
In the authorization scenario, the client and server interaction works as follows:
- The client performs its initial authentication with the authentication system.
- The authentication system generates a JWT that contains various meta-information, such as the client’s identity and claims, signed by the authentication system using a JWK. A limited validity JWT is then returned to the client.
- The client then passes this JWT, along with its resource access request, to the resource server.
- The resource server extracts the JWT and performs the verification of the signed information before allowing access to the protected resource.
Now that you have learned about JWT’s primary usage in general, you will be eager to know about its support in APIC. Not only does APIC support JWT verification, but it also lets you generate a JWT. As you learned here, JWT’s authorization use case requires two parts – JWT generation and JWT validation. You will learn how to perform these steps next.
JWT generation
JWT generation primarily involves three steps: client authentication, token generation, and token signing.
There are two methods for generating a token—using APIC’s Generate JWT policy or by using your organization’s identity provider. You will learn the method of using the Generate JWT policy to generate a JWT token. Configuration of your organization’s identity provider to support JWT token generation is outside the scope of this book. Here are the steps for the JWT policy method:
- Log in to API Manager. Go to Home | Develop APIs and products | Add | API (from REST, Graph QL or SOAP).
- On the Select API type page, ensure that Open API 2.0 is selected. Select New OpenAPI. Then, click Next.
- On the Create new OpenAPI page, provide the details as per Table 7.8 to create a new API that you will enhance shortly for the purpose of generating a JWT:
Table 7.8 – JWT generation proxy
4. The Security Schemes and Security sections of your API should look similar to Figure 7.27:
Figure 7.27 – JWT generate proxy security definitions and security
5. Now that your base API proxy’s structure is set up, you will now enable this API to generate a JWT. Modify the API’s default Path (/):
- Path name: /generate
- Operations: GET (remove all the other operations by using the three vertical dots menu)
Click the Save button after making the modifications.
6. Next, define the parameters for the GET operation. You will send these parameters in the request’s headers. Here you will define two important required headers. Navigate to Paths | /generate | Operations | GET | Path Parameters in the navigation menu. Click the Add button to add the parameters. Add the iss-claim and aud-claim parameters. These parameters are located in header, have a string type, and are required. Refer to Figure 7.28 for this:
Figure 7.28 – Claim headers for JWT generation
These headers specify the Issuer (iss) and Audience (aud) claims. The JWT needs to contain verifiable claims. iss-claim should contain the identification information of the server that issued the JWT. aud-claim should contain the identification information of the resource server or the resource that the client/application will access using the generated JWT. You will pass these claim values in the request to the jwt-generate API. The jwt-generate API will then insert these header values in the JWT that it returns to you. This is a method of generating dynamic claims. Save your changes.
7. Then, go to the Gateway tab and delete any existing policies from the flow by hovering over the policy and clicking the garbage can. You will now add three new policies to your message processing flow.
8. Drag and drop the Set Variable, Generate JWT, and GatewayScript policies onto your message processing flow as per Figure 7.29. Rename each policy’s Title property as per Figure 7.29:
Figure 7.29 – JWT generation message processing flow
9. Set the set-signature-jwk policy’s property values as per Table 7.9. Click the Add action button to set these values. Click on the Save button after setting the property values.
Table 7.9 – set-signature-jwk property values
10. Set the jwt-generate policy’s property values as per the value in Table 7.10. Click on the Save button after setting the property values:
Table 7.10 – jwt-generate property values
11. Lastly, set the generated JWT in the message response body. Copy the code named setjwtresponse.js from the GitHub repository into the set-jwt-response policy as follows:
var jwt = context.get(‘generated.jwt’);
var accessToken =
{
“jwt”: jwt,
};
context.message.header.set(‘Content-
Type’,”application/json”);
context.message.body.write(accessToken);
12. Save and publish your API (remember to use the toggle facility). This completes the configuration of your jwt-generate API.
You will now run a quick test to test the configuration. Go to the Test tab of your API. You will see that the platform has already pre-filled many header values. Enter the iss-claim and aud-claim values as per Figure 7.30. Send the request. You should receive a JWT in the Response section.
Figure 7.30 – JWT Request and Response
The JWT Generation section covered details about using the APIC framework for JWT generation. You must consult your organization’s security administrator to confirm the usage of the APIC framework for JWT generation. Many organizations use external identity providers to generate JWT. If that is the case, then please use the approved method for JWT generation.
Now that you are familiar with the process of JWT generation, next, you will learn the method of performing JWT verification to protect your API resources.
Leave a Reply