Overview

Use the Java Web Token (JWT) Validator policy to authenticate a request with a token. When you apply this policy, API consumers must use their JWT credentials to sign their JWT. Before allowing API access to the consumer, the policy does the following:

The policy checks if the JWT token is valid
If valid, the policy processes the request
If invalid, the policy discards the request

The JWT token works with the Authorize by Role policy. The value for the JWT role is the value for the Role field in the Authorize by Role Policy.

Supported Algorithms

The JWT Validator policy supports keys signed with the following cryptographic algorithms:

Elliptic Curve Digital Signature Algorithm (ECDSA): ES256, ES384, ES512
Rivest–Shamir–Adleman (RSA): RS256, RS384, RS512
Hash-Based Message Authentication Code using SHA (HSA): HS256, HS384, HS512

Policy Execution Order

This JWT Validator policy executes after the request has been authorized.

Expression Enabled Fields in API Policies

All expression-enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Settings

Parameter Name	Description	Default Value	Example

Parameter Name	Description	Default Value	Example
Label	Required. The name for the API policy.	JWT Validator	Task JWT Validator
When this policy should be applied	An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.	True	request.method == "POST"
Key Input Format	Select one of the following two options: RAW_TEXT URL NOTE: The option you select determines the subsequent fields.	RAW_TEXT
Key·	When RAW_TEXT is selected, this field displays. Paste the contents of the public key, which can be a PEM Encoded key or a JSON Web Key (JWK) or a Client Secret.	N/A	`-----BEGIN PUBLIC KEY-----` `MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo` `4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u` `+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh` `kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ` `0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg` `cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc` `mwIDAQAB` `-----END PUBLIC KEY-----`
URL	When URL is selected, this field displays. Enter the URL endpoint or click to enter an expression to obtain the key.	N/A	`https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys`
Extract Keys from URL	Enter the URL or expression for the keys. NOTE: This policy only supports a list of JWK Keys or one JWK key and verifies against the `kid` field in the JWT header to support URL. If you pass in a list of keys, then only the key whose `kid` matches with that of the JWT Header’s `kid` is used for verification.	Expression enabled `$`	`$keys`
Extract into $token	Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy.	N/A	N/A
Custom Header Keys	The names of the headers. If more than one header is given, they will all be checked. Click + to add more custom header keys.	N/A	N/A
Key	The name of the custom header key.		$.aud
Custom Query String Parameter Keys	The names of the query parameters. If more than one name is given, they will all be checked. Click + to add more custom query string parameters.	N/A	N/A
Key	The name of the custom query string parameter.		$key
Custom Cookie Key	The names of the cookies. You can add more than one cookie. Click + to add more custom cookies. The value input in the Cookie is to be replaced with the access token while using Postman or any other tool.	N/A	N/A
Key	The name of the Custom Cookie Key		Cookie_1
Authorization Header Type	If the key is in the Authorization header, this value is used as the “type” to check.	Bearer
Extract User Info*	Required. Specifies how to extract information about the user from the working object.	N/A	N/A
User ID Expression	An expression that returns a string to be used as the user ID.	N/A	$qty
Roles Expression	An expression that returns the list of roles for the user.	N/A	$aud
Headers to add	Optional. Name-value pairs to pass information from the token in the request header to pipeline parameters. For example, you might pass the user ID from the token claim so that the underlying pipeline can retrieve it in a parameter.		To pass the role and token in the header: Name: role Value: $aud Name: tempKey Value: request.uri.path Name: keyID Value: $kid Name: all Value: $ To retrieve the token in pipeline parameters, add a Mapper Snap and map the header values: _ROLE > $aud _TEMPKEY > $tempKey _KEYID > $kid _ALL > $all
Status	Indicates whether the API policy is enabled or disabled.	Enabled	Disabled

Example—Generate a private and public RSA key and extract the claims for Policy configuration

You can use any generator to create a private and a public key and a JWT. The following example uses OpenSSL3 and a text editor. However, Node, Python, and Java libraries require less manual input.

In a command prompt, enter: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem
Extract the public and private keys: openssl rsa -in private.pem -pubout -out public.pem
Create a header and a payload: printf '%s' '{"alg":"RS256","typ":"JWT"}' > header.json
printf '%s' '{"sub":"example-user","aud":"apimuser","role":"admin"}' > payload.json
Encode the header: cat header.json \
| openssl base64 -e -A \
| tr '+/' '-_' \
| tr -d '=' \
header.b64
Encode the payload: cat payload.json \
| openssl base64 -e -A \
| tr '+/' '-_' \
| tr -d '=' \
payload.b64
Create the signing input: paste -d '.' header.b64 payload.b64 > signing_input.txt
Sign using the private key and SHA-256: openssl dgst -sha256 -sign private.pem -binary signing_input.txt > signature.bin
Encode the signature: cat signature.bin \
| openssl base64 -e -A \
| tr '+/' '-_' \
| tr -d '=' \
signature.b64
Create the JWT: paste -d '.' signing_input.txt signature.b64

Next, use these values in the JWT Validator Policy definition:

For Label, name the policy.
Leave When this policy should be applied empty so that it always applies.
For Signing Algorithm, select RSA.
In the Key field, paste the contents of the extracted public.pem file.
For Extract into $token, use the following values:

Customer Header Keys	String/Expression	x-api-key
Custom Query String Parameter Keys	String/Expression	myquery
Authorization Header Type	String	bearer

For Extract User Info, use the following values:

User ID Expression*	String/Expression	$sub
Roles Expression*	String/Expression	$aud

Save and validate.

The value for the JWT role expression field is fetched from the value for the Role field in the Authorize by Role Policy.

The following table summarizes the example Policy configuration:

Parameter Name		Field Type	Example

Parameter Name		Field Type	Example
Label*		String	JWT Validator Policy
When this policy should be applied		String/Expression
Signing Algorithm*		Dropdown	RSA
Key*		String	-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvf7Ioq2sRn8Z4Ziuvr3f PiKrW1PZvp+kWDbFfNyWZiOXu4H3ftIo1JRnEfoPWwxshSyHTTs8x6JRtJ0eZ2T7 YT1ooHimyzVJBdvmsriFvmaErPIZdO6LVq6bcwki+EU2Z7qQbV0EJQiDJ6enxtZC xCNR3YspYLmzTLx8d5gt7C+wOf8LsMweRyFkb+oGkER381GUzPkBdFDsA9w5pjHG R4NNdrjQBHJUi95qjizybkCyWiwBHYUuNzlKzy01UEqCFhjB8TMTT2lG99x1KxN6 Jw0qxwjMdk0DrEt6vPYqqtO0zSNbWeNnAHsVQO+oqJ4Zf4gJnC7t3CgpaLKecPji sQIDAQAB -----END PUBLIC KEY-----
Extract into $token*
	Customer Header Keys	String/Expression	x-api-key
	Custom Query String Parameter Keys	String/Expression	myquery
	Authorization Header Type	String	bearer
Extract User Info*			N/A
	User ID Expression*	String/Expression	$sub
	Roles Expression*	String/Expression	$aud
Status		Dropdown List	Enabled