jwt-validate

Use the Validate JWT security policy to enable the validation of a JSON Web Token (JWT) in a request before allowing access to the APIs.

The jwt-validate policy has the following structure:

- jwt-validate:
  title: title
  description: description
  jwt: json_web_token
  output-claims: output_full_set_of_jwt_claims
  iss-claim: issuer_claim
  aud-claim: audience_claim
  jwe-crypto: decrypt_crypto_object
  jwe-jwk: decrypt_crypto_jwk_variable_name
  jws-crypto: verify_crypto_object
  jws-jwk: verify_crypto_jwk_variable_name

The following table describes the policy properties:

Table 1. Validate JWT policy properties
Property label	Property name	Required	Description	Data type
Title	title	Yes	The title of the policy. The default value is `jwt-validate`.	string
Description	description	No	A description of the policy.	string
JSON Web Token (JWT)	jwt	Yes	Context or runtime variable that contains the JWT to be validated. The default value is: `request.headers.authorization`. However, if this property is not set, the policy looks for the JWT in the `request.headers.authorization` location by default. Note: The format of the authorization header must be: `"Authorization: Bearer jwt-token"` where `jwt-token` is the encoded JWT.	string
Output Claims	output-claims	Yes	Runtime variable to which the full set of claims that are contained in the JWT is assigned. The default value is: `decoded.claims`.	string
Issuer Claim	iss-claim	No	The Pearl Compatible Regular Expression (PCRE) to use to validate the Issuer (iss) claim.	string
Audience Claim	aud-claim	No	The PCRE to use to validate the Audience (aud) claim.	string
Decrypt Crypto Object	jwe-crypto	No	The cryptographic object (a shared key or certificate) to use to decode the claim.^¹	string
Decrypt Crypto JWK variable name	jwe-jwk	No	Runtime variable that contains the JWK to use to decrypt the JWT.^¹	string
Verify Crypto Object	jws-crypto	No	The cryptographic object (a shared key or certificate) to use to verify the signature.^²	string
Verify Crypto JWK variable name	jws-jwk	No	Runtime variable that contains the JWK to use to verify the signature.^²	string

Example

The following is an example of a jwt-validate policy:

- jwt-validate:
    title: jwt-validate
    jwt: request.headers.authorization
    output-claims: decoded.claims
    iss-claim: "'^data.*'"
    aud-claim: "'^id.*'"
    jwe-crypto: jweCryptoObjectName
    jwe-jwk: jwe.jwk
    jws-crypto: jwsCryptoObjectName
    jws-jwk: jws.jwk


      - jwt-validate:
          title: validate_jwt
          jwt: jwt
          output-claims: decoded.claims
          version: 1.0.0
          iss-claim: apic
          jwe-jwk: hs256-enc-key
          jws-jwk: hs256-key

For more information about how to use a jwt-validate security policy, see Validate JWT (jwt-validate) in the built-in policies section.

¹ A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to decrypt the JWT. However, if both data types are specified, only the Crypto Object is used.

² A JWK and a Crypto Object are both valid ways of providing the cryptographic data necessary to verify the JWT. However, if both data types are specified, only the Crypto Object is used.