Layer7 API Management

 View Only
  • 1.  Validate JSON Web Token (JWT) issued from identity server other than Layer7 API Management

    Posted Mar 09, 2021 03:30 PM
    I have a JWT access token that I need to validate. The JWT was not issued by the Layer7 API Management gateway. The JWT was issued by IdentityServer4, but this might change to be a Gluu server in the future.

    Can the gateway perform complete token validation, as per the Open Id Connect specification, of JWTs issued from other servers and if so how is this done (OTK?, example assertions, etc).

    Many Thanks.


  • 2.  RE: Validate JSON Web Token (JWT) issued from identity server other than Layer7 API Management

    Broadcom Employee
    Posted Mar 09, 2021 05:06 PM
    Dear Craig,
    As per my understanding, you just need the public key from the issuer, and then use Decode Json Web Token assertion to validate the signature of JWT with the public key.
    After that, the json payload of jwt will be extracted, you might perform further validation on the claims such as 'iss', 'exp', 'aud', etc.

    (usually the issuer should share a public link to download the public key, or Json web key, or Json web key set)


    Regards,
    Mark


  • 3.  RE: Validate JSON Web Token (JWT) issued from identity server other than Layer7 API Management

    Posted Mar 10, 2021 12:49 PM
      |   view attached
    Craig, 

    We have done something similar with our Enterprise OKTA JWT tokens.  I am attaching a policy fragment that we created that performs some of the steps mentioned by Mark.  

    We use this fragment in our overall Authentication pattern so we can recognize both Gateway OTK tokens, BasicAuth, and now OKTA JWT tokens.

    Hope it helps.

    Rick Reed
    FedEx Freight

    Attachment(s)

    xml
    OKTAAuth.xml   45 KB 1 version


  • 4.  RE: Validate JSON Web Token (JWT) issued from identity server other than Layer7 API Management

    Posted Apr 09, 2021 12:02 PM
    Just wanted to say a huge thanks to both responses. Both were very helpful.

    I was able to combine the example from the Broadcom tech documentation (see encode_decode_jwt_example_policy.xml) with the OKTAAuth.xml (see other response) to get my first JWT validated on the CA API Gateway. 

    I was also able to gain other tips from the example polices, such as how to check the expiry date and how to cache the jwks (public key) once the response is returned from the identity server.

    Hopefully it will help others.

    Many thanks.