JWT Validator
- John Brinckwirth
- Rachana Mannath
In this article
Overview
Use the Java Web Token (JWT) Validator policy to authenticate a request with a token. When you apply this policy, API consumers must use their JWT credentials to sign their JWT. Before allowing API access to the consumer, the policy does the following:
The policy checks if the JWT token is valid
If valid, the policy processes the request
If invalid, the policy discards the request
The JWT token works with the Authorize by Role policy. The value for the JWT role is the value for the Role field in the Authorize by Role Policy.
Policy Execution Order
This JWT Validator policy executes after the request has been authorized.
Expression Enabled Fields in API Policies
All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.
Prerequisite
The Policies Snap Pack in your Org must be set to 436patches25626 for the Key Input Format field to display the URL option and its dependent fields.
Settings
After the March release, this policy is updated to automatically detect the signing algorithm using the JWT token's header and key. Previously, you had to select the HSA algorithm manually via the Signing Algorithm* field. This policy only support RSA, HSA, and ECDSA signed keys.
Parameter Name | Description | Default Value | Example |
|---|---|---|---|
Label | Required. The name for the API policy. | JWT Validator | Task JWT Validator |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST. | True | request.method == "POST" |
Key Input Format | Select one of the following two options:
NOTE: The option you select determines the subsequent fields.
| RAW_TEXT |
|
Key· | When RAW_TEXT is selected, this field displays. Paste the contents of the public key, which can be a PEM Encoded key or a JSON Web Key (JWK) or a Client Secret. | N/A |
|
URL | When URL is selected, this field displays. Enter the URL endpoint or click to enter an expression to obtain the key. | N/A |
|
Extract Keys from URL | Enter the URL or expression for the keys. NOTE: This policy only supports a list of JWK Keys or one JWK key and verifies against the | Expression enabled |
|
Extract into $token | Required. Specifies the location to find the key in the request. If one of the given locations is not found, this API policy will pass the request through to the next API policy. | N/A | N/A |
Custom Header Keys | The names of the headers. If more than one header is given, they will all be checked. Click + to add more custom header keys. | N/A | N/A |
Key | The name of the custom header key. |
| $.aud |
Custom Query String Parameter Keys | The names of the query parameters. If more than one name is given, they will all be checked. Click + to add more custom query string parameters. | N/A | N/A |
Key | The name of the custom query string parameter. |
| $key |
Custom Cookie Key | The names of the cookies. You can add more than one cookie. Click + to add more custom cookies. The value input in the Cookie is to be replaced with the access token while using Postman or any other tool. | N/A | N/A |
Key | The name of the Custom Cookie Key |
| Cookie_1 |
Authorization Header Type | If the key is in the Authorization header, this value is used as the “type” to check. | Bearer |
|
Extract User Info* | Required. Specifies how to extract information about the user from the working object. | N/A | N/A |
User ID Expression | An expression that returns a string to be used as the user ID. | N/A | $qty |
Roles Expression | An expression that returns the list of roles for the user. | N/A | $aud |
Status | Indicates whether the API policy is enabled or disabled. | Enabled | Disabled |
Example of Configure the JWT Validator API Policy with the RSA and HSA Signing Algorithms
Prerequisites
Apply Authorization by Role Policy.
Signature Algorithms, Key, User ID, Role.
RSA Signing Algorithm Field Mappings
To generate an RSA token through Auth0 API.
Set up the JWT API in the Auth0 Dashboard > Applications > API, with the RSA Signing Algorithm and identifier as the role for the policy:
To extract the
access tokenproperty from the response, issue the API call with any API platform such as Postman:
Decode the access token with the jwt.io to extract the key.
The role is configured in the Authorize by Role policy. Update User ID and Role with the $sub and $aud expression values in the respective fields in the policy dialogue box to fetch the information:
To add the Custom Cookie Key, you need to add the domain to your API or Proxy endpoint with Postman. Now add cookie and replace the value with the access token and save it:
Use the obtained Key, User ID, Role, and Cookie Key for the JWT Validator Policy:
Below is the example that showcases the JWT Validator Policy set up in the SnapLogic UI:
Parameter Name | Field Type | Example | |
|---|---|---|---|
Label* | String | JWT Validator Policy | |
When this policy should be applied | String/Expression | request.method == "POST" | |
Signing Algorithm* | Dropdown | RSA | |
Key* | String | { "e": "AQAB", | |
Extract into $token* |
| ||
| Customer Header Keys | String/Expression | x-api-key |
Custom Query String Parameter Keys | String/Expression | myquery | |
Custom Cookie Key | String/Expression | Cookie_4 | |
Authorization Header Type | String | bearer | |
Extract User Info* | N/A | ||
| User ID Expression* | String/Expression | $sub |
Roles Expression* | String/Expression | $aud | |
Status | Dropdown List | Enabled | |
Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.