Versions Compared

Old Version 14

changes.mady.by.user Chandna Mitra

Saved on

compared with

New Version Current

changes.mady.by.user Subhajit Sengupta

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On this Page

Table of Contents
maxLevel2
excludeOlder Versions|Additional Resources|Related Links|Related Information

Snap type:Flow
Description:

This Snap validates JSON Web Tokens. Together with 30736405 Snap, this Snap allows pipelines to use limited scope tokens.

This Snap verifies:

  1. The token signature (by using the secret or trusted certificate a with public key from the associated JWTAccount) and the algorithm specified in token header.
  2. If the token is still valid or if it has expired.
  3. If the "audience" property is specified, the audience in the token payload will be compared with the snap property, and the validation will only succeed if at least one of the values match.

Input & Output

  • Input: This Snap can have an upstream Snap that passes in the access token. Alternatively, this Snap could be the first Snap in a pipeline and receive the token in an HTTP Header or HTTP Request body.

  • Output: If the validation succeeds, this Snap outputs a document that contains all the claims found in the token. The downstream Snap could take this information and do additional validation or filtering.

    Note

    Since triggered and scheduled tasks do not support custom HTTP headers, the token should be passed in the request body for those types of tasks.


Prerequisites:[None]
Limitations and Known Issues:
  • Works in Ultra Pipelines.
  • This Snap has been tested with tokens generated using the 30736405 Snap.
  • Validating tokens generated using other methods has not been tested. 
Configurations:

Account & Access

This Snap uses account references created on the 30736405 page of SnapLogic Manager to handle access to this endpoint. See JWT Account for information on setting up this type of account.

Views

InputThis Snap has at most one document input view.
OutputThis Snap has exactly one document output view.
ErrorThis Snap has at most one document error view and produces zero or more documents in the view.


Troubleshooting:[None]

Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Audience

The asset that the token should be valid for. It can be a string or list of strings. If a single value is specified, it must match the "audience" value in the JWT token for the validation to succeed. If a list of values is specified, at least one the values specified in this property should match at least one of the values in the token.

Default value: pipe.projectPath

Access token

Required. The token to validate.

Default value: [None]

Multiexcerpt include macro
nameSnap Execution
pageAnaplan Read


Multiexcerpt include macro
nameSnap_Execution_Introduced
pageAnaplan Read


Examples

Basic Use Case

The pipeline below shows a standalone JWT Validate Snap (it contains a hardcoded token for demo purposes). 

Note that:

  • The Audience property is set to a string value of "sales". This means that the JWT must contain an "audience" claim, and one of those values must be "sales".
  • The Access token property refers to pipeline parameter (_access_token).
  • The preview shows the output when a JWT has been successfully validated and the token has been decoded.

 


Typical Snap Configurations

The Access token parameter must always be present. Since it is an expression, it can refer to pipeline parameter, input document parameter or a plain string.

The Audience parameter is optional. If left empty, the Snap will not perform any checks against the "audience" parameter in the token (It'll still check for a valid token signature and expiration).

Advanced Use Case

This Snap can be used at the start of a pipeline to limit access. By configuring the "audience" parameter, the pipeline will only allow calls with access token that contains that "audience" parameter.

Following on from the Advanced Use Case in JWT Generate Snap documentation, let us assume that we want to allow calls associated with "sales" department only. Further, let us assume that we only want to allow calls when "age" is greater than 21.

  1. The JWT Validate Snap is configured as shown in the "Typical Snap Configuration" section above.
  2. If a token was generated for a different audience (for e.g. "Engineering"), then the Snap validation fails.
  3. With a valid token, the Validation succeeds and the contents of the decoded JWT are written to the output document.
  4. The next step after JWT Validate can perform further filtering or validation. In this example, we configure a Filter snap to only pass calls with an "age" value of greater than 21.

Downloads

Multiexcerpt include macro
namedownload_instructions
pageOpenAPI

Note

You'll need to create a Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.

(The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)

Attachments
patterns*.slp, *.jks

Insert excerpt
JWT Snap Pack
JWT Snap Pack
nopaneltrue