Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On this Page

Table of Contents
maxLevel2
excludeOlder Versions|Additional Resources|Related Links|Related Information

Snap type:Read
Description:

This Snap generates JSON Web Tokens (JWT). Together with the JWT Validate Snap, this Snap allows pipelines the ability to issue and use limited scope access tokens.

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information (claims) between parties. This information is stored in the token as a JSON object, and is signed using a secret (with HMAC algorithm) or private key (with RSA Algorithm). All the information necessary to validate the token and its contents is contained within the JWT, thereby avoiding an expensive resource look up (for

e.g.

example, a database look up) during token validation.

The Snap properties allow users to customize what information gets embedded in the token.

Input & Output

  • Input:
    This Snap can have an upstream Snap that passes a document. The upstream Snap allows users an opportunity to authenticate internal users (for
e.g.
  • example using a REST GET Snap). Additionally, the upstream Snap can also fetch or generate data that needs to be embedded in the JWT.

  • Output:
    This Snap generates an output document that contains the access token
.

Modes

Ultra pipelines: Supported in Ultra Pipelines
  • .
  • Spark (Deprecated) mode: Not supported in Spark mode.
  • Prerequisites:[None]
    Limitations and Known Issues:
    [None]
    • Works in Ultra Pipelines.
    • The RSA private key size might not match the RSA suggested algorithm tailing number. For example: generating a private key with keysize=512 can be used with RS256, but this key cannot be used with algorithm PS256.
    Configurations:

    Account & Access

    This Snap uses account references created

    on the JWT Generate page of SnapLogic Manager

    in SnapLogic Manager to handle access to this endpoint. See

    JWT Generate for

    this article for information on setting up this type of account.

    Views

    InputThis Snap has at most one document input view.
    OutputThis Snap has exactly one document output view.
    ErrorThis Snap has at most one document error view and produces zero or more documents in the view.


    Troubleshooting:[None]

    Settings

    Label


    Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

    Audience

    The asset that the token should be valid for. Can be a string or a list of strings.

    Default value: pipe.projectPath

    Subject

    The entity (user, application, etc) that this token applies to. This could be used to specify internal / third-party users or applications that the token should be valid for.

    Default value: [None]

    Issued At Epoch

    Specify the time (in milliseconds since January 1st, 1970) that indicates when the JWT was created.


    Note

    If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds.


    Default value: N/A.

    Example: 1673515370515

    Not Before Epoch

    Specify the time (in milliseconds since January 1st, 1970) before which the JWT remains invalid.


    Note

    If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds minus two seconds.


    Default value: N/A.

    Example: 1673515370513

    Expiration Epoch

    Specify the time (in milliseconds since January 1st, 1970) after which the JWT is invalid.


    Note

    If the value is 0 or the field is left blank, Snap considersthe current instant in milliseconds plus the TTL value from the account.


    Default value: N/A.

    Example: 1673515371515

    Token ID

    A unique identifier for the token. This field can be used to embed a unique identifier for tracking across multiple systems.

    Default value: Math.randomUUID()

    Custom Metadata

    Custom metadata to embed in token. This field is an Object / Map. For every key value pair in this object, the key will form the name of the claim and the value will be value of the claim.

    Default value: [None]

    Algorithm

    Required. The hashing algorithm used to generate the signature of the token. Options available include:

    • HS256
    • HS512
    HS324
    • HS384

    Default value: HS256

    Alternatively, the hashing algorithm for the RSA key used to generate the signature of the token includes the following options:

    RS256
    RS384
    RS512
    PS256
    PS384
    PS512
    Default value: RS256

    Skip Key ID

    Select the checkbox (by disabling the Expression enabler) to skip the Key ID parameter and remove it when generating the JWT.


    Note

    This property allows you to provide or skip the Key ID in the JWT headers while generating the token. By default, the checkbox is deselected, and Snap considers the Key ID as the alias of the private key used in the account. If an API (such as Bloomberg) does not accept the Key ID, then select this checkbox so that the Key ID is not used in JWT headers while generating the token.


    Default value: Deselected

    Snap Execution

    Select one of the following three modes in which the Snap executes:

    • Validate & Execute: Performs limited execution of the Snap, and generates a data preview during Pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during Pipeline runtime.

    • Execute only: Performs full execution of the Snap during Pipeline execution without generating preview data.

    • Disabled: Disables the Snap and all Snaps that are downstream from it.

    Default ValueExecute only
    Example: Validate & Execute

    Examples

    Basic Use Case

    The pipeline below shows a standalone JWT Generate Snap (we define a pipeline parameter called username and there is an associated JWT Account).

    Image RemovedImage Added Image RemovedImage Added Image RemovedImage Added

    The Snap generates a JWT token as output.

    Note that we're using an intentionally long token TTL for demo purposes. This is to ensure that the Validate snap can validate the token successfully.

    Typical Snap Configurations

    Image RemovedImage Added

    ll All configuration parameters (Audience, Subject, Token ID, Custom Metadata) are expressions. This provides a lot of flexibility in deciding what information gets embedded in the token. In the above example, we're using the pipeline parameter (_username) as the subject.

    Advanced Use Case

    The JWT Generate Snap allows users to issue limited scope tokens for internal users.

    In the example pipeline below:

    1. The pipeline makes a REST Post to an internal endpoint with internal user credentials. The REST endpoint responds with JSON data associated with that user. 
    2. A Mapper Snap is used to map fields that we want to embed in the token (user, dept, age in this example).
      Image RemovedImage Added



    3. JWT Generate Snap generates an access token that embeds this information in the token (using dept as "audience", "user" as the subject and "age" in custom metadata field).
      Image RemovedImage Added


    4. A Mapper is used to isolate the access token from the output document and return that access token.
    5. See the JWT Validate Snap documentation to see the output when this token is validated and decoded back.

    Downloads

    Multiexcerpt include macro
    namedownload_instructions
    pageOpenAPI

    Note

    You 'll need to create JWT Generate, as described in Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.

    (The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)

    Attachments

    Related Information

    This section gives you a consolidated list of internal and external resources related to this Snap:

    PanelborderColorblackborderWidth1borderStylesolidtitleSnap History

    patterns.*slp,.*jks

    Insert excerpt
    JWT Snap Pack
    JWT Snap Pack
    nopaneltrue