Dear Rohan,
Validating JWT is different with validating UUID token.
JWT is signed by the issuer, when validate, you use the public key provided by the issuer to decrypt the JWT payload, if successful, then it's a valid jwt.
As per my understanding, the use case is like this,
gateway generate and sign the jwt with a key in its keystore, use the set cookie assertion to store the jwt on client side, client sent the request with jwt in the cookie, gateway get the jwt payload from request cookie, use decode json web token assertion to validate the jwt using the key in its keystore.
so, it's not a compare, the service provider doesn't need to call/access the token issuer to validate the jwt, then the issuer has no need to store the jwt. That's the main difference between jwt and uuid token.
Regards,
Mark
Original Message:
Sent: 05-14-2020 09:17 AM
From: ROHAN SINHA
Subject: Unable to persist or store JWT Access Token
Hi All,
Thanks for all your replies.
Yes I am trying to validate the JWT Access token which has been sent to the Gateway from the client application. I was not able to undesrstand if the Gateway is not storing the JWT Access token which it created and shared with the client, then how is it validating the same token when it is sent through the actual request.
But now I think the Gateway may not need to store the JWT access token. Instead the Gateway is storing the corresponding UUID access token, lifetime, scope etc. So when the client sends the JWT Access token, it is decoded and the parameters like UUID acees token, lifetime, etc are extrated which are then validated from the database.
Please let me know if my understanding is correct.
Regards,
Rohan
Original Message:
Sent: 05-14-2020 08:30 AM
From: Muzeer Vaseem Abdul
Subject: Unable to persist or store JWT Access Token
Hello Rohan,
Is your JWT as plain Base64 encoded one ? If it is so, it is not secure, any one can read the payload in the JWT. Generally, you can Encrypt and/or Sign the JWT in the Gateway. Similarly, you can Decode and Verify the JWT.
In a real world scenarios, a client would make a request to the server (Gateway) and pass the token with the request. The server would attempt to verify the token and, if successful, would continue processing the request. If the server could not verify the token, the server would send a 401 Unauthorized
and a message saying that the request could not be processed as authorization could not be verified.
In case, Gateway is a client, and would want to make a request to other server, it can create a signed JWT with its own private key or as agreed on JWKS, and send it to the server. Server can then verify it with Gateways public key, if valid can process it.
Hope this helps.
Thanks
Vaseem
Original Message:
Sent: 05-14-2020 03:39 AM
From: ROHAN SINHA
Subject: Unable to persist or store JWT Access Token
Hi Zhijun,
Thanks for replying.
As per my understanding of Oauth, the JWT access token which I generated and shared with client, the same JWT access token will only be sent by the client in the successive requests. So if gateway is not storing this token anywhere how will it identify and authorize the client.
I did not understand the use of set cookie assertion here. If possible can you please share any example of how to share the JWT access token with client and then validate it in the successive requests.
Regards,
Rohan
Original Message:
Sent: 05-13-2020 06:25 PM
From: Zhijun He
Subject: Unable to persist or store JWT Access Token
Dear Rohan,
As per my understanding, the validation of JWT doesn't require a call to server, you only need the right public key.
I don't see a reason to store JWT on server side.
Usually the jwt is for a client, you can use set cookie assertion to pass the jwt to client.
Regards,
Mark
Original Message:
Sent: 05-13-2020 01:55 PM
From: ROHAN SINHA
Subject: Unable to persist or store JWT Access Token
Hi All,
I generated JWT Access Token but I'm unable to store it in the oauth_token table from where this token can be used for real time verification of the service request. I used the OTK Token Storage (access_token) encapsulated assertion to store the JWT access token in the database. Getting the below error:-
2020-05-13T18:10:28.061+0100 WARNING 31239 com.l7tech.external.assertions.jdbcquery.server.ServerJdbcQueryAssertion: 9104: "Perform JDBC Query" assertion failed due to: Data truncation: Data too long for column token at row 1
Please help, how can I store this JWT access Token so that it can be used in the service policies.
Regards,
Rohan