jwt-validate
Use the Validate JWT security policy to enable the validation of a JSON Web Token (JWT) in a request before allowing access to the APIs.
The jwt-validate policy has the following
structure:
- jwt-validate:
title: title
description: description
jwt: json_web_token
output-claims: output_full_set_of_jwt_claims
iss-claim: issuer_claim
aud-claim: audience_claim
jwe-crypto: decrypt_crypto_object
jwe-jwk: decrypt_crypto_jwk_variable_name
jws-crypto: verify_crypto_object
jws-jwk: verify_crypto_jwk_variable_name
The following table describes the policy properties:
Property label | Property name | Required | Description | Data type |
---|---|---|---|---|
Title | title | Yes | The title of the policy. The default value is |
string |
Description | description | No | A description of the policy. | string |
JSON Web Token (JWT) | jwt | Yes | Context or runtime variable that contains the JWT to be validated. The default value is: Note: The format of the authorization header must be:
where jwt-token is the encoded JWT. |
string |
Output Claims | output-claims | Yes | Runtime variable to which the full set of claims that are contained in the JWT is assigned. The default value is: |
string |
Issuer Claim | iss-claim | No | The Pearl Compatible Regular Expression (PCRE) to use to validate the Issuer (iss) claim. | string |
Audience Claim | aud-claim | No | The PCRE to use to validate the Audience (aud) claim. | string |
Decrypt Crypto Object | jwe-crypto | No | The cryptographic object (a shared key or certificate) to use to decode the claim.1 | string |
Decrypt Crypto JWK variable name | jwe-jwk | No | Runtime variable that contains the JWK to use to decrypt the JWT.1 | string |
Verify Crypto Object | jws-crypto | No | The cryptographic object (a shared key or certificate) to use to verify the signature.2 | string |
Verify Crypto JWK variable name | jws-jwk | No | Runtime variable that contains the JWK to use to verify the signature.2 | string |
Example
The following is an example of a jwt-validate
policy:
- jwt-validate:
title: jwt-validate
jwt: request.headers.authorization
output-claims: decoded.claims
iss-claim: "'^data.*'"
aud-claim: "'^id.*'"
jwe-crypto: jweCryptoObjectName
jwe-jwk: jwe.jwk
jws-crypto: jwsCryptoObjectName
jws-jwk: jws.jwk
- jwt-validate:
title: validate_jwt
jwt: jwt
output-claims: decoded.claims
version: 1.0.0
iss-claim: apic
jwe-jwk: hs256-enc-key
jws-jwk: hs256-key
For more information about how to use a jwt-validate security policy, see Validate JWT (jwt-validate) in the built-in policies section.
1 A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to decrypt the JWT. However, if both data types are specified, only the Crypto Object is used.
2 A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to verify the JWT. However, if both data types are specified, only the Crypto Object is used.