Overview
Use the Outbound JSON Web Token (JWT) policy to authenticate upstream request with a token. API consumers can use HSA or RSA signing algorithms with preconfigured JWT account to set-up this policy. Before calling the upstream URL, the policy does the following:
The policy uses preconfigured JWT account to get the JWT issuer, the token time to live (TTL) and the signing key.
Additionally, the user can provide extra information about the token to be generated using policy table fields such as Subject, Issued at time, Expiration time and more.
With the information provided, the Outbound JWT policy generates the signed JWT token,
The generated signed JWT token is used by the upstream server to authenticate the request.
Prerequisites
Preconfigured JWT account. Learn more.
Policy Execution Order
This JWT Outbound policy executes after the request has been authorized.
All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.
Settings
Parameter Name | Field Type | Description | Default Value | Example | |
---|---|---|---|---|---|
Setting Tab | |||||
Label* | String | Required. The name for the API policy. | Outbound JWT Policy | Outbound JWT Policy for Proxy | |
When this policy should be applied | String/Expression | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | N/A | request.method == “POST” | |
Token Location* | Dropdown List | Select the Token location as Header/Body/Query | Header | Header | |
Header | Authorization Scheme* Bearer | Dropdown List | Select Bearer/Custom Authorization Scheme if you have selected the Header option from the dropdown list. For Custom Authorization Scheme spaces, include in the token key. | Bearer | Bearer |
| Custom | String | Add your Custom Authorization Scheme here. | N/A | CustomScheme |
Body | Request Body Key
| String | Enter JSON key with the value of the token. | N/A | RequestBodyKey |
Query | Query String Parameter Name
| String | Name the Query String Parameter. | N/A | QueryParameterKey |
Audience | Expression/String | The asset that the token should be valid for. Can be a string or a list of strings. | N/A | YourService | |
Subject | Expression/String | The entity, for example, user or application that this token applies to. This could be used to specify internal or third-party users or applications that the token should be valid for. | N/A | user | |
Issued At Epoch | Expression/String | Specify the time (in milliseconds since January 1st, 1970) that indicates when the JWT was created. If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds.
| N/A | 1673515370515 | |
Not Before Epoch | Expression/String | Specify the time (in milliseconds since January 1st, 1970) before which the JWT remains invalid. If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds minus two seconds.
| N/A | 1673515370513 | |
Expiration Epoch | Expression/String | Specify the time (in milliseconds since January 1st, 1970) after which the JWT is invalid. If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds plus the TTL value from the account.
| N/A | 1673515371515 | |
Token ID | Expression/String | A unique identifier for the token. This field can be used to embed a unique identifier for tracking across multiple systems.
| Math.randomUUID() | N/A | |
Custom Metadata | Expression/String | Custom metadata to embed in token. This field is an Object / Map. For every key value pair in this object, the key will form the name of the claim and the value will be value of the claim.
| {} | N/A | |
Skip key ID | Expression/String | Select the checkbox (by disabling the Expression enabler) to skip the Key ID parameter and remove it when generating the JWT. This property allows you to provide or skip the Key ID in the JWT headers while generating the token. By default, the checkbox is deselected, and Snap considers the Key ID as the alias of the private key used in the account. If an API (such as Bloomberg) does not accept the Key ID, then select this checkbox so that the Key ID is not used in JWT headers while generating the token.
| N/A | Deselect | |
Algorithm*
| String | Required. The hashing algorithm used to generate the signature of the token. Options available include:
Alternatively, the hashing algorithm for the RSA key used to generate the signature of the token includes the following options:
| N/A | HS256/RS256 | |
Status | Dropdown List | Specifies whether the API policy is enabled or disabled. | Enabled | Enabled | |
Account Tab | |||||
Account Reference* | Dropdown List | Select a preconfigured JWT account from the dropdown list that is configured in the | N/A | ../../shared/OutboundPolicyRestOAuth2 |