JWT Generate

On this Page

Snap type:Read
Description:

This Snap generates JSON Web Tokens (JWT). Together with the JWT Validate Snap, this Snap allows pipelines the ability to issue and use limited scope access tokens.

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information (claims) between parties. This information is stored in the token as a JSON object, and is signed using a secret (with HMAC algorithm) or private key (with RSA Algorithm). All the information necessary to validate the token and its contents is contained within the JWT, thereby avoiding an expensive resource look up (for example, a database look up) during token validation.

The Snap properties allow users to customize what information gets embedded in the token.

Input & Output

  • Input:
    This Snap can have an upstream Snap that passes a document. The upstream Snap allows users an opportunity to authenticate internal users (for example using a REST GET Snap). Additionally, the upstream Snap can also fetch or generate data that needs to be embedded in the JWT.

  • Output:
    This Snap generates an output document that contains the access token.
Prerequisites:[None]
Limitations and Known Issues:
  • Works in Ultra Pipelines.
  • The RSA private key size might not match the RSA suggested algorithm tailing number. For example: generating a private key with keysize=512 can be used with RS256, but this key cannot be used with algorithm PS256.
Configurations:

Account & Access

This Snap uses account references created in SnapLogic Manager to handle access to this endpoint. See this article for information on setting up this type of account.

Views

InputThis Snap has at most one document input view.
OutputThis Snap has exactly one document output view.
ErrorThis Snap has at most one document error view and produces zero or more documents in the view.
Troubleshooting:[None]

Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Audience

The asset that the token should be valid for. Can be a string or a list of strings.

Default value: pipe.projectPath

Subject

The entity (user, application, etc) that this token applies to. This could be used to specify internal / third-party users or applications that the token should be valid for.

Default value: [None]

Issued At Epoch

Specify the time (in milliseconds since January 1st, 1970) that indicates when the JWT was created.

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds.

Default value: N/A.

Example: 1673515370515

Not Before Epoch

Specify the time (in milliseconds since January 1st, 1970) before which the JWT remains invalid.

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds minus two seconds.

Default value: N/A.

Example: 1673515370513

Expiration Epoch

Specify the time (in milliseconds since January 1st, 1970) after which the JWT is invalid.

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds plus the TTL value from the account.

Default value: N/A.

Example: 1673515371515

Token ID

A unique identifier for the token. This field can be used to embed a unique identifier for tracking across multiple systems.

Default value: Math.randomUUID()

Custom Metadata

Custom metadata to embed in token. This field is an Object / Map. For every key value pair in this object, the key will form the name of the claim and the value will be value of the claim.

Default value: [None]

Algorithm

Required. The hashing algorithm used to generate the signature of the token. Options available include:

  • HS256
  • HS512
  • HS384

Default value: HS256

Alternatively, the hashing algorithm for the RSA key used to generate the signature of the token includes the following options:

RS256
RS384
RS512
PS256
PS384
PS512
Default value: RS256

Skip Key ID

Select the checkbox (by disabling the Expression enabler) to skip the Key ID parameter and remove it when generating the JWT.

This property allows you to provide or skip the Key ID in the JWT headers while generating the token. By default, the checkbox is deselected, and Snap considers the Key ID as the alias of the private key used in the account. If an API (such as Bloomberg) does not accept the Key ID, then select this checkbox so that the Key ID is not used in JWT headers while generating the token.

Default value: Deselected

Snap Execution

Select one of the following three modes in which the Snap executes:

  • Validate & Execute: Performs limited execution of the Snap, and generates a data preview during Pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during Pipeline runtime.

  • Execute only: Performs full execution of the Snap during Pipeline execution without generating preview data.

  • Disabled: Disables the Snap and all Snaps that are downstream from it.

Default Value: Execute only
Example: Validate & Execute

Examples

Basic Use Case

The pipeline below shows a standalone JWT Generate Snap (we define a pipeline parameter called username and there is an associated JWT Account).

  

The Snap generates a JWT token as output.

Note that we're using an intentionally long token TTL for demo purposes. This is to ensure that the Validate snap can validate the token successfully.

Typical Snap Configurations

All configuration parameters (Audience, Subject, Token ID, Custom Metadata) are expressions. This provides a lot of flexibility in deciding what information gets embedded in the token. In the above example, we're using the pipeline parameter (_username) as the subject.

Advanced Use Case

The JWT Generate Snap allows users to issue limited scope tokens for internal users.

In the example pipeline below:

  1. The pipeline makes a REST Post to an internal endpoint with internal user credentials. The REST endpoint responds with JSON data associated with that user. 
  2. A Mapper Snap is used to map fields that we want to embed in the token (user, dept, age in this example).




  3. JWT Generate Snap generates an access token that embeds this information in the token (using dept as "audience", "user" as the subject and "age" in custom metadata field).



  4. A Mapper is used to isolate the access token from the output document and return that access token.
  5. See the JWT Validate Snap documentation to see the output when this token is validated and decoded back.

Downloads

Important steps to successfully reuse Pipelines

  1. Download and import the pipeline into the SnapLogic application.
  2. Configure Snap accounts as applicable.
  3. Provide pipeline parameters as applicable.

You need to create, as described in Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.

(The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)

  File Modified

File JWT Generate.slp

Jul 17, 2017 by Diane Miller

File JWT Generate (Advanced).slp

Jul 17, 2017 by Diane Miller

File jwt-keystore.jks

Jul 17, 2017 by Diane Miller


Snap Pack History

 Click to view/expand
Release Snap Pack VersionDateType Updates

August 2024

main27765

 

Stable

Updated and certified against the current Snaplogic Platform release.

May 2024

main26341

 

Stable

Updated and certified against the current SnapLogic Platform release.

February 2024436patches25733 LatestEnhanced the JWT Account to support Secret key authentication.
February 2024main25112 StableUpdated and certified against the current SnapLogic Platform release.
November 2023main23721 StableUpdated and certified against the current SnapLogic Platform release.

August 2023

main22460

 

Stable

Updated and certified against the current SnapLogic Platform release.

May 2023main21015 StableUpgraded with the latest SnapLogic Platform release.
February 2023main19844 StableUpgraded with the latest SnapLogic Platform release.
November 2022

431patches19481

 Latest

The JWT Generate Snap includes the following new fields: 

  • Issued At Epoch, Not Before Epoch, and Expiration Epoch enable you to specify the custom instants in milliseconds for generating JSON Web Token (JWT).

  • Skip Key ID for removing the Key ID parameter from the JWT when selected. Some APIs (such as Bloomberg) do not accept Key IDs; this option is useful for such APIs.

November 2022main18944 StableUpgraded with the latest SnapLogic Platform release.
August 2022main17386 StableUpgraded with the latest SnapLogic Platform release.
4.29main15993 StableUpgraded with the latest SnapLogic Platform release.
4.28 Patch428patches15200 LatestEnhanced the JWT Generate Snap to include the typ field in the JWT Header of the JWT token.
4.28main14627 StableUpgraded with the latest SnapLogic Platform release.

4.27

main12833

 

Stable

Upgraded with the latest SnapLogic Platform release.
4.26main11181
 
StableUpgraded with the latest SnapLogic Platform release.
4.25main9554
 
StableUpgraded with the latest SnapLogic Platform release.
4.24main8556
StableUpgraded with the latest SnapLogic Platform release.
4.23main7430
 
StableUpgraded with the latest SnapLogic Platform release.
4.22main6403
 
StableUpgraded with the latest SnapLogic Platform release.
4.21snapsmrc542-StableUpgraded with the latest SnapLogic Platform release.
4.20snaprsmrc528-StableUpgraded with the latest SnapLogic Platform release.
4.19snaprsmrc528-StableUpgraded with the latest SnapLogic Platform release.
4.18snapsmrc523-StableUpgraded with the latest SnapLogic Platform release.
4.17 PatchALL7402-Stable

Pushed automatic rebuild of the latest version of each Snap Pack to SnapLogic UAT and Elastic servers.

4.16

snapsmrc508

-StableUpgraded with the latest SnapLogic Platform release.
4.15snapsmrc500-StableUpgraded with the latest SnapLogic Platform release.

4.14

snapsmrc490

-StableUpgraded with the latest SnapLogic Platform release.

4.13

snapsmrc486

-StableUpgraded with the latest SnapLogic Platform release.

4.12

snapsmrc480

-StableUpgraded with the latest SnapLogic Platform release.

4.11

snapsmrc465

-StableUpgraded with the latest SnapLogic Platform release.

4.10


-Stable

Introduced in this release. Snap Pack contains JWT Generate and JWT Validate.