Working with JSON Web Tokens

This topic describes how to use JSON Web Tokens (JWT) in the gateway. The sample workflow shows you how to use all the related assertions: , , and .
gateway83
This topic describes how to use JSON Web Tokens (JWT) in the
Layer7 API Gateway
. The sample workflow shows you how to use all the related assertions: Create JSON Web Key Assertion.
Contents:
Terminology
Term
Meaning
JWT
JSON Web Token
JWK
JSON Web Key
JWKS
JSON Web Key Set
alg
Signature algorithm
iss
JSON Web Token issuer
exp
Expiry date (of the JSON Web Token)
kid
JSON Web Key ID
Scenario
You are validating a JSON Web Token signature using a JWK. You are validating against an expected signature algorithm, JWT issuer, and JWT expiry date.
Sample Policy
The following sample policy achieves the Scenario described above.
For simplicity, the sample policy uses hard-coded values where context variables must be used in a real policy. Proper error handling is omitted in this sample. Ensure that this policy is part of the service that it is authenticating.
Encode_Decode_JSON_Web_Token_Workflow.png
Concise summary of the process:
  1. Create a JWT and sign it using the Encode JSON Web Token Assertion.
  2. Create a JWKS using the Create JSON Web Key Assertion.
  3. Extract the header and payload using the Decode Json Web Token Assertion (with
    Validation Method
    set to "None").
  4. From the extracted header and payload, set extracted results for
    alg
    ,
    iss
    ,
    kid
    , and
    iss
    using Evaluate JSON Path Expression Assertion.
  5. Set the expected results for
    alg
    and
    iss.
  6. Compare the expected results against the extracted results (
    alg
    ,
    iss
    ,
    exp
    ).
  7. Finally, validate the JWT signature using Decode JSON Web Token Assertion.
Try it Yourself
Download the encode_decode_jwt_example_policy.xml file attached to this topic and then import it into your Policy Manager.
Enable
Show Comments
and
Show Assertion Numbers
(set these in the Preferences).
Try validating against a different, unexpected algorithm, to see the policy fail as expected. Do this by changing line 40: "Set Context Variable alg.expected as String to: RS256". Change the expression from "RS256" to "HS256".