Layer7 API Management

Expand all | Collapse all

Best Approach for Out of Box JWT

  • 1.  Best Approach for Out of Box JWT

    Posted 03-29-2018 07:51 AM

    HI All, what is the best/recommended approach while generating JWT outside CA Gateway. Is it recommended to pass Client Secret in claim for authentication while generating JWT on Client app or Client Id should be passed?

    currently we're passing iss,aud,iat & exp as a Claim.but we want to include another parameter which will help us to authenticate the token. any suggestions are appreciated.

     

    #jwt #claims



  • 2.  Re: Best Approach for Out of Box JWT

    Broadcom Employee
    Posted 03-05-2019 05:11 PM

    Good afternoon,

     

    We are reviewing community posts that have not been answered. The Client Secret should not be sent through just the Client ID in the aud value.

     

    Header: {"typ":"JWT","alg":"RS256","kid":"default_ssl_key"}
    Payload: {
    "iss": "https://supdemo-ssg93.support.local:8443",
    "iat":1551822592,
    "aud":"54f0c455-4d80-421f-82ca-9194df24859d",
    "exp":1551826192,
    "jti":"117c27c6-b111-425c-83c4-a396dfe17df4",
    "token_details": {
    "scope":"oob",
    "expires_in":3600,
    "token_type":"Bearer"
    }
    }

     

    Within the gateway you can use the Decode JSON Web Token assertion setup depending on how the JWT was signed and/or encrypted to validate the token. If you use this assertion ensure to include a comparison check on the ${<prefix>.valid} variable after the assertion to ensure that it has not been tampered with.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support