Versions Compared

Version Old Version 19 New Version 20
Changes made by

Lakshmi Manda

Lakshmi Manda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On this Page

Table of Contents
maxLevel2
excludeOlder Versions|Additional Resources|Related Links|Related Information

Snap type:Read
Description:

This Snap generates JSON Web Tokens (JWT). Together with the JWT Validate Snap, this Snap allows pipelines the ability to issue and use limited scope access tokens.

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information (claims) between parties. This information is stored in the token as a JSON object, and is signed using a secret (with HMAC algorithm) or private key (with RSA Algorithm). All the information necessary to validate the token and its contents is contained within the JWT, thereby avoiding an expensive resource look up (for example, a database look up) during token validation.

The Snap properties allow users to customize what information gets embedded in the token.

Input & Output

  • Input:
    This Snap can have an upstream Snap that passes a document. The upstream Snap allows users an opportunity to authenticate internal users (for example using a REST GET Snap). Additionally, the upstream Snap can also fetch or generate data that needs to be embedded in the JWT.

  • Output:
    This Snap generates an output document that contains the access token.
Prerequisites:[None]
Limitations and Known Issues:
  • Works in Ultra Pipelines.
  • The RSA private key size might not match the RSA suggested algorithm tailing number. For example: generating a private key with keysize=512 can be used with RS256, but this key cannot be used with algorithm PS256.
Configurations:

Account & Access

This Snap uses account references created in SnapLogic Manager to handle access to this endpoint. See this article for information on setting up this type of account.

Views

InputThis Snap has at most one document input view.
OutputThis Snap has exactly one document output view.
ErrorThis Snap has at most one document error view and produces zero or more documents in the view.


Troubleshooting:[None]

Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Audience

The asset that the token should be valid for. Can be a string or a list of strings.

Default value: pipe.projectPath

Subject

The entity (user, application, etc) that this token applies to. This could be used to specify internal / third-party users or applications that the token should be valid for.

Default value: [None]

Issued At Epoch

Specify the time (in milliseconds since January 1st, 1970) that indicates when the JWT was created.


Note

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds.


Default value: N/A.

Example: 1673515370515

Not Before Epoch

Specify the time (in milliseconds since January 1st, 1970) before which the JWT remains invalid.



Note

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds minus two seconds.


Default value: N/A.

Example: 1673515370513

Expiration Epoch

Specify the time (in milliseconds since January 1st, 1970) after which the JWT is invalid.



Note

If the value is 0 or the field is left blank, Snap considersthe current instant in milliseconds plus the TTL value from the account.


Default value: N/A.

Example: 1673515371515

Token ID

A unique identifier for the token. This field can be used to embed a unique identifier for tracking across multiple systems.

Default value: Math.randomUUID()

Custom Metadata

Custom metadata to embed in token. This field is an Object / Map. For every key value pair in this object, the key will form the name of the claim and the value will be value of the claim.

Default value: [None]

Algorithm

Required. The hashing algorithm used to generate the signature of the token. Options available include:

  • HS256
  • HS512
  • HS384

Default value: HS256

Alternatively, the hashing algorithm for the RSA key used to generate the signature of the token includes the following options:

RS256
RS384
RS512
PS256
PS384
PS512
Default value: RS256

Skip Key ID

Select the checkbox (by disabling the Expression enabler) to skip the Key ID parameter and remove it when generating the JWT.



Note

This property allows you to provide or skip the Key ID in the JWT headers while generating the token. By default, the checkbox is deselected, and Snap considers the Key ID as the alias of the private key used in the account. If an API (such as Bloomberg) does not accept the Key ID, then select this checkbox so that the Key ID is not used in JWT headers while generating the token.


Default value: Deselected

Multiexcerpt include macro
nameSnap Execution
pageAnaplan Read

Multiexcerpt include macro
nameSnap_Execution_Introduced
pageAnaplan Read

Examples

Basic Use Case

The pipeline below shows a standalone JWT Generate Snap (we define a pipeline parameter called username and there is an associated JWT Account).

  

The Snap generates a JWT token as output.

Note that we're using an intentionally long token TTL for demo purposes. This is to ensure that the Validate snap can validate the token successfully.

Typical Snap Configurations

All configuration parameters (Audience, Subject, Token ID, Custom Metadata) are expressions. This provides a lot of flexibility in deciding what information gets embedded in the token. In the above example, we're using the pipeline parameter (_username) as the subject.

Advanced Use Case

The JWT Generate Snap allows users to issue limited scope tokens for internal users.

In the example pipeline below:

  1. The pipeline makes a REST Post to an internal endpoint with internal user credentials. The REST endpoint responds with JSON data associated with that user. 
  2. A Mapper Snap is used to map fields that we want to embed in the token (user, dept, age in this example).




  3. JWT Generate Snap generates an access token that embeds this information in the token (using dept as "audience", "user" as the subject and "age" in custom metadata field).



  4. A Mapper is used to isolate the access token from the output document and return that access token.
  5. See the JWT Validate Snap documentation to see the output when this token is validated and decoded back.

Downloads

Multiexcerpt include macro
namedownload_instructions
pageOpenAPI

Note

You need to create, as described in Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.

(The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)

Attachments
patterns.*slp,.*jks

Insert excerpt
JWT Snap Pack
JWT Snap Pack
nopaneltrue

See Also