Layer7 API Management

  • Private Community
 View Only

  • 1.  JWT Implementation

    Posted Jan 17, 2018 01:04 AM
    We are working on implementing Authentication where external sales representatives need to be authenticated against a Database and incase authenticated should be returned JWT token(generated in API Gateway) for subsequent calls.

    Also for any API call,incase the JWT token is missing in header ,username password should be requested .If the user is authenticated ,JWT Token should be generated in API Gateway and the request should be routed to backend.
    The missing JWT should not return an error but should ask for credentials to generate a new Token.
    What is the best way to implement this?


  • 2.  Re: JWT Implementation

    Posted Jan 17, 2018 05:24 AM

    missed mentioning above that JWT should be generated using RS256 algorithm



  • 3.  Re: JWT Implementation
    Best Answer

    Broadcom Employee
    Posted Jan 17, 2018 12:15 PM

    Hi Sonalee,

     

    A few thoughts ...

     

    I will make the assumption that you currently have logic in place to authenticate the user against a DB. In the case that the user successfully authenticates you can generate an ID token and then encode it as a JWT to returned (links below).

     

    Encoding the JWT supports using RS256 as a Signing Algorithm.

     

    For the rest you could setup a policy to look for an authorization header (${request.http.header.authorization}) with a JWT. If it is present you can decode and validate it (the Decode JSON Web Token assertion sets a value 'valid'). If it is not present, initiate the login flow enabled initially. The same process can then be used to generate an ID token at this point.

     

    Decode JSON Web Token

    Encode JSON Web Token

    Generate and validate an ID token

    Signing with RS256

    Transport layer context variables

     

    Regards,

    Joe



  • 4.  Re: JWT Implementation

    Broadcom Employee
    Posted Jan 18, 2018 08:42 AM
      |   view attached

    Attached  a small sample demonstrating basic usage of the assertions mentioned (generate an ID Token, encode and decode the JWT).

    Provided only as a guideline. Note you will have to change the signing key to match something in your own environment:

     

    Encode Json Web Token Properties

     

    Regards,

    Joe

    Attachment(s)

    zip
    id_token.xml.zip   1 KB 1 version