Versions Compared

Version Old Version 18 New Version Current
Changes made by

Rachana Mannath

Shilpa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Prerequisite

The Policies Snap Pack in your Org must be set to 436patches25626 for the Key Input Format field to display the URL option and its dependent fields.

Settings

After the March release, this policy is updated to automatically detect the signing algorithm using the JWT token's header and key. Previously, you had to select the HSA algorithm manually via the Signing Algorithm* field. This policy only support RSA, HSA, and ECDSA signed keys.

Parameter Name

Description

Default Value

Example

Label

Required. The name for the API policy.

JWT Validator

Task JWT Validator

When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

True

request.method == "POST"

Signing Algorithm

  • RSA

  • HSA

  • ECDSA

RSA

ECDSA

Key·

None

N/A

·················

Key Input Format

Select one of the following two options:

  • RAW_TEXT

  • URL

NOTE: The option you select determines the subsequent fields.

RAW_TEXT

Key·

When RAW_TEXT is selected, this field displays.

Paste the contents of the public key, which can be a PEM Encoded key or a JSON Web Key (JWK) or a Client Secret.

N/A

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----

URL

When URL is selected, this field displays.

Enter the URL endpoint or click (blue star) to enter an expression to obtain the key.

N/A

https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys

Extract Keys from URL

Enter the URL or expression for the keys.

NOTE: This policy only supports a list of JWK Keys or one JWK key and verifies against the kid field in the JWT header to support URL. If you pass in a list of keys, then only the key whose kid matches with that of the JWT Header’s kid is used for verification.

Expression enabled
$

$keys

Extract into $token

Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy.

N/A

N/A

Custom Header Keys

The names of the headers. If more than one header is given, they will all be checked. Click + to add more custom header keys.

N/A

N/A

Key

The name of the custom header key.

 

$.aud

Custom Query String Parameter Keys

The names of the query parameters. If more than one name is given, they will all be checked. Click + to add more custom query string parameters.

N/A

N/A

Key

The name of the custom query string parameter.

 

$key

Custom Cookie Key

The names of the cookies. You can add more than one cookie. Click + to add more custom cookies.

Info

The value inputin the Cookie is to be replaced with the access token while using Postman or any other tool.

N/A

N/A

Key

The name of the Custom Cookie Key

 

Cookie_1

Authorization Header Type

If the key is in the Authorization header, this value is used as the “type” to check.

Bearer

N/A

 

Extract User Info*

Required. Specifies how to extract information about the user from the working object.

N/A

N/A

User ID Expression

An expression that returns a string to be used as the user ID.

N/A

$qty

Roles Expression

An expression that returns the list of roles for the user.

N/A

$aud

Status

Indicates whether the API policy is enabled or disabled. 

Enabled

Disabled

Example of

...

Configure the JWT Validator API Policy

...

with the RSA and HSA Signing Algorithms


Prerequisites

  • Apply Authorization by Role Policy.

  • Signature Algorithms, Key, User ID, Role.

RSA Signing Algorithm Field Mappings

To generate an RSA token through Auth0 API.

  1. Setup Set up the JWT API in the Auth0 Dashboard > Applications > API, with the RSA Signing Algorithm and identifier as the role that is needed for the policy:

    auth0-api1.png

 

  1. Extract To extract the access token property from the response by issuing , issue the API call using with any API Platform like platform such as Postman:

    access-token-rsa.png

 

  1. Decode the access token using with the jwt.io for extracting to extract the key.

    key.png

     

  2. Role The role is configured in the Authorize by Role policy. Update User ID and Role with the $sub and $aud expression values in the respective fields in the policy dialogue box to fetch the information:

    userid-role.png
Info

  • The value for the JWT role expression field is fetched from the value for the Role field in the Authorize by Role Policy.

  1. To add the Custom Cookie Key, you need to add the domain to your API or Proxy endpoint using with Postman. Now add cookie and replace the value with the access token and save it.:

    cookie.png

 

  • Use the obtained Key, User ID, Role, and Cookie Key for the JWT Validator Policy:

    policy-dialogue-box.pngImage Modified

  • Below is the example that showcases the JWT Validator Policy set up in the SnapLogic UI:

Field names with an '*' (Asterisk symbol) suffix are mandatory fields.

Parameter Name

Field Type

Example

Label*

String

JWT Validator Policy

When this policy should be applied

String/Expression

request.method == "POST"

Signing Algorithm*

Dropdown

RSA

Key*

String

{ "e": "AQAB",
"kty": "RSA",
"n": "tPzmusbjBZThiVXqQkcCFYy3_JI__NaB58n6LmRkFZAsKURjfvO2KsyR_XZ6X9_7LGk8LApzTQ7ReJJhnDuCZ6p6OEs5BzqFLsW--JbbavZALzmw-Rnkl9Z9JiXL-E1xq6gpFpPsdHD8loRNa8YhHWNFQmGWRoWZzkNLc7yxKBCfJMe6ZtiXX00NPpCaxtaIKwFQGyfsYWDAqUcJmHNyA1rb_ByKlEV1_YgtjQPKdgY0-gOOhmONsz9MCAVrYk4s2yJWqVvSbZl31Na0FWlPu0zD4a9fm5XtyYuC0vS7ZIX694rXaheKWTRq9xssMPgAvnBZ0MVVUVd-8c6UrkH8Ww"
}

Extract into $token*

 

 

 

 

Customer Header Keys

String/Expression

x-api-key

Custom Query String Parameter Keys

String/Expression

myquery

Custom Cookie Key

String/Expression

Cookie_4

Authorization Header Type

String

bearer

Extract User Info*

N/A

 

 

User ID Expression*

String/Expression

$sub

Roles Expression*

String/Expression

$aud

Status

Dropdown List

Enabled

Info

Follow the same process for the HSA Signing Algorithm.