Outbound JWT

Overview

Use the Outbound JSON Web Token (JWT) policy to authenticate upstream request with a token. API consumers can use HSA or RSA signing algorithms with preconfigured JWT account to set-up this policy. Before calling the upstream URL, the policy does the following:

  • The policy uses preconfigured JWT account to get the JWT issuer, the token time to live (TTL) and the signing key.

  • Additionally, the user can provide extra information about the token to be generated using policy table fields such as Subject, Issued at time, Expiration time and more.

  • With the information provided, the Outbound JWT policy generates the signed JWT token,

  • The generated signed JWT token is used by the upstream server to authenticate the request.

Prerequisites

Policy Execution Order

This JWT Outbound policy executes after the request has been authorized.

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Settings

jwt-outbound-proxy.png

Parameter Name

Field Type

Description

Default Value

Example

Parameter Name

Field Type

Description

Default Value

Example

Setting Tab

Label*

String

Required. The name for the API policy.

Outbound JWT Policy

Outbound JWT Policy for Proxy

When this policy should be applied

String/Expression

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

N/A

request.method == “POST”

Token Location*

Dropdown List

Select the Token location as Header/Body/Query

Header

Header

Header

Authorization Scheme*

Bearer

Dropdown List

Select Bearer/Custom Authorization Scheme if you have selected the Header option from the dropdown list.

For Custom Authorization Scheme spaces, include in the token key.

Bearer

Bearer

 

Custom

String

Add your Custom Authorization Scheme here.

 N/A

CustomScheme

Body

Request Body Key

 

String

Enter JSON key with the value of the token.

N/A

RequestBodyKey

Query

Query String Parameter Name

 

String

Name the Query String Parameter.

N/A

QueryParameterKey

Audience

Expression/String

The asset that the token should be valid for. Can be a string or a list of strings.

N/A

YourService

Subject

Expression/String

The entity, for example, user or application that this token applies to. This could be used to specify internal or third-party users or applications that the token should be valid for.

N/A

user

Issued At Epoch

Expression/String

Specify the time (in milliseconds since January 1st, 1970) that indicates when the JWT was created.

If the value is 0 or the field is left blank, Snap considers the current instant in milliseconds.

 

N/A

1673515370515

Not Before Epoch

Expression/String

Specify the time (in milliseconds since January 1st, 1970) before which the JWT remains invalid.

 

N/A

1673515370513

Expiration Epoch

Expression/String

Specify the time (in milliseconds since January 1st, 1970) after which the JWT is invalid.

 

N/A

1673515371515

Token ID

Expression/String

A unique identifier for the token. This field can be used to embed a unique identifier for tracking across multiple systems.

 

Math.randomUUID()

N/A

Custom Metadata

Expression/String

Custom metadata to embed in token. This field is an Object / Map. For every key value pair in this object, the key will form the name of the claim and the value will be value of the claim.

 

{}

N/A

Skip key ID

Expression/String

Select the checkbox (by disabling the Expression enabler) to skip the Key ID parameter and remove it when generating the JWT.

 

N/A

Deselect

Algorithm*

 

String

Required. The hashing algorithm used to generate the signature of the token. Options available include:

  • HS256

  • HS512

  • HS384

Alternatively, the hashing algorithm for the RSA key used to generate the signature of the token includes the following options:

  • RS256

  • RS384

  • RS512

  • PS256

  • PS384

  • PS512

N/A

HS256/RS256

Status

Dropdown List

Specifies whether the API policy is enabled or disabled. 

Enabled

Enabled

Account Tab

Account Reference*

Dropdown List

Select a preconfigured JWT account from the dropdown list that is configured in the global>shared folder.

N/A

../../shared/OutboundPolicyRestOAuth2