JWT Validate

On this Page

Snap type:Flow
Description:

This Snap validates JSON Web Tokens. Together with JWT Validate Snap, this Snap allows pipelines to use limited scope tokens.

This Snap verifies:

  1. The token signature (by using the secret or trusted certificate a with public key from the associated JWTAccount) and the algorithm specified in token header.
  2. If the token is still valid or if it has expired.
  3. If the "audience" property is specified, the audience in the token payload will be compared with the snap property, and the validation will only succeed if at least one of the values match.

Input & Output

  • Input: This Snap can have an upstream Snap that passes in the access token. Alternatively, this Snap could be the first Snap in a pipeline and receive the token in an HTTP Header or HTTP Request body.

  • Output: If the validation succeeds, this Snap outputs a document that contains all the claims found in the token. The downstream Snap could take this information and do additional validation or filtering.

    Since triggered and scheduled tasks do not support custom HTTP headers, the token should be passed in the request body for those types of tasks.

Prerequisites:[None]
Limitations and Known Issues:
  • Works in Ultra Pipelines.
  • This Snap has been tested with tokens generated using the JWT Validate Snap.
  • Validating tokens generated using other methods has not been tested. 
Configurations:

Account & Access

This Snap uses account references created on the JWT Validate page of SnapLogic Manager to handle access to this endpoint. See JWT Account for information on setting up this type of account.

Views

InputThis Snap has at most one document input view.
OutputThis Snap has exactly one document output view.
ErrorThis Snap has at most one document error view and produces zero or more documents in the view.
Troubleshooting:[None]

Settings

Label


Required. The name for the Snap. You can modify this to be more specific, especially if you have more than one of the same Snap in your pipeline.

Audience

The asset that the token should be valid for. It can be a string or list of strings. If a single value is specified, it must match the "audience" value in the JWT token for the validation to succeed. If a list of values is specified, at least one the values specified in this property should match at least one of the values in the token.

Default value: pipe.projectPath

Access token

Required. The token to validate.

Default value: [None]

Snap Execution

Select one of the following three modes in which the Snap executes:

  • Validate & Execute: Performs limited execution of the Snap, and generates a data preview during Pipeline validation. Subsequently, performs full execution of the Snap (unlimited records) during Pipeline runtime.

  • Execute only: Performs full execution of the Snap during Pipeline execution without generating preview data.

  • Disabled: Disables the Snap and all Snaps that are downstream from it.

Default Value: Execute only
Example: Validate & Execute


Examples

Basic Use Case

The pipeline below shows a standalone JWT Validate Snap (it contains a hardcoded token for demo purposes). 

Note that:

  • The Audience property is set to a string value of "sales". This means that the JWT must contain an "audience" claim, and one of those values must be "sales".
  • The Access token property refers to pipeline parameter (_access_token).
  • The preview shows the output when a JWT has been successfully validated and the token has been decoded.

 


Typical Snap Configurations

The Access token parameter must always be present. Since it is an expression, it can refer to pipeline parameter, input document parameter or a plain string.

The Audience parameter is optional. If left empty, the Snap will not perform any checks against the "audience" parameter in the token (It'll still check for a valid token signature and expiration).

Advanced Use Case

This Snap can be used at the start of a pipeline to limit access. By configuring the "audience" parameter, the pipeline will only allow calls with access token that contains that "audience" parameter.

Following on from the Advanced Use Case in JWT Generate Snap documentation, let us assume that we want to allow calls associated with "sales" department only. Further, let us assume that we only want to allow calls when "age" is greater than 21.

  1. The JWT Validate Snap is configured as shown in the "Typical Snap Configuration" section above.
  2. If a token was generated for a different audience (for e.g. "Engineering"), then the Snap validation fails.
  3. With a valid token, the Validation succeeds and the contents of the decoded JWT are written to the output document.
  4. The next step after JWT Validate can perform further filtering or validation. In this example, we configure a Filter snap to only pass calls with an "age" value of greater than 21.

Downloads

Important steps to successfully reuse Pipelines

  1. Download and import the pipeline into the SnapLogic application.
  2. Configure Snap accounts as applicable.
  3. Provide pipeline parameters as applicable.

You'll need to create a Configuring JWT Accounts to use for this sample. Use the attached jwt-keystore.jks file to create one.

(The keystore was created using keytool for demo purposes. It contains one symmetric key with alias: jwt password: jwtpasswd)

  File Modified

File JWT Validate_2017_07_14.slp

Jul 17, 2017 by Diane Miller

File jwt-keystore.jks

Jul 17, 2017 by Diane Miller


Snap Pack History

 Click to view/expand
Release Snap Pack VersionDateType Updates
November 2024main29029 StableUpdated and certified against the current SnapLogic Platform release.

August 2024

main27765

 

Stable

Updated and certified against the current Snaplogic Platform release.

May 2024

main26341

 

Stable

Updated and certified against the current SnapLogic Platform release.

February 2024436patches25733 LatestEnhanced the JWT Account to support Secret key authentication.
February 2024main25112 StableUpdated and certified against the current SnapLogic Platform release.
November 2023main23721 StableUpdated and certified against the current SnapLogic Platform release.

August 2023

main22460

 

Stable

Updated and certified against the current SnapLogic Platform release.

May 2023main21015 StableUpgraded with the latest SnapLogic Platform release.
February 2023main19844 StableUpgraded with the latest SnapLogic Platform release.
November 2022

431patches19481

 Latest

The JWT Generate Snap includes the following new fields: 

  • Issued At Epoch, Not Before Epoch, and Expiration Epoch enable you to specify the custom instants in milliseconds for generating JSON Web Token (JWT).

  • Skip Key ID for removing the Key ID parameter from the JWT when selected. Some APIs (such as Bloomberg) do not accept Key IDs; this option is useful for such APIs.

November 2022main18944 StableUpgraded with the latest SnapLogic Platform release.
August 2022main17386 StableUpgraded with the latest SnapLogic Platform release.
4.29main15993 StableUpgraded with the latest SnapLogic Platform release.
4.28 Patch428patches15200 LatestEnhanced the JWT Generate Snap to include the typ field in the JWT Header of the JWT token.
4.28main14627 StableUpgraded with the latest SnapLogic Platform release.

4.27

main12833

 

Stable

Upgraded with the latest SnapLogic Platform release.
4.26main11181
 
StableUpgraded with the latest SnapLogic Platform release.
4.25main9554
 
StableUpgraded with the latest SnapLogic Platform release.
4.24main8556
StableUpgraded with the latest SnapLogic Platform release.
4.23main7430
 
StableUpgraded with the latest SnapLogic Platform release.
4.22main6403
 
StableUpgraded with the latest SnapLogic Platform release.
4.21snapsmrc542-StableUpgraded with the latest SnapLogic Platform release.
4.20snaprsmrc528-StableUpgraded with the latest SnapLogic Platform release.
4.19snaprsmrc528-StableUpgraded with the latest SnapLogic Platform release.
4.18snapsmrc523-StableUpgraded with the latest SnapLogic Platform release.
4.17 PatchALL7402-Stable

Pushed automatic rebuild of the latest version of each Snap Pack to SnapLogic UAT and Elastic servers.

4.16

snapsmrc508

-StableUpgraded with the latest SnapLogic Platform release.
4.15snapsmrc500-StableUpgraded with the latest SnapLogic Platform release.

4.14

snapsmrc490

-StableUpgraded with the latest SnapLogic Platform release.

4.13

snapsmrc486

-StableUpgraded with the latest SnapLogic Platform release.

4.12

snapsmrc480

-StableUpgraded with the latest SnapLogic Platform release.

4.11

snapsmrc465

-StableUpgraded with the latest SnapLogic Platform release.

4.10


-Stable

Introduced in this release. Snap Pack contains JWT Generate and JWT Validate.