Layer7 API Management

HI All, what is the best/recommended approach while generating JWT outside CA Gateway. Is it recommended to pass Client Secret in claim for authentication while generating JWT on Client app or Client Id should be passed?

currently we're passing iss,aud,iat & exp as a Claim.but we want to include another parameter which will help us to authenticate the token. any suggestions are appreciated.

#jwt #claims

Good afternoon,

We are reviewing community posts that have not been answered. The Client Secret should not be sent through just the Client ID in the aud value.

Header: {"typ":"JWT","alg":"RS256","kid":"default_ssl_key"}
Payload: {
"iss": "https://supdemo-ssg93.support.local:8443",
"iat":1551822592,
"aud":"54f0c455-4d80-421f-82ca-9194df24859d",
"exp":1551826192,
"jti":"117c27c6-b111-425c-83c4-a396dfe17df4",
"token_details": {
"scope":"oob",
"expires_in":3600,
"token_type":"Bearer"
}
}

Within the gateway you can use the Decode JSON Web Token assertion setup depending on how the JWT was signed and/or encrypted to validate the token. If you use this assertion ensure to include a comparison check on the ${<prefix>.valid} variable after the assertion to ensure that it has not been tampered with.

Sincerely,

Stephen Hughes

Broadcom Support