Hi,
Does APIGEE X supports self-contained JWT token with X5C header containing the token signing certificate details? - For both generation and validation of the JWT Token
Can it perform PKI validation? - To ensure that the received token signing public key is provided by a trusted issuer, as detailed in RFC5280.
Please advise.
- Yes, you can generate and verify JWT that contain the x5c field in the header. But, it is not as easy as it might be.
- During generation, You must “manually” specify the x5c header with the right encoded contents.
- During verification, you need to first decode the token via DecodeJWT, extract the x5c field containing the cert, and then call VerifyJWT using that value.
- No, today Apigee does not perform PKI trust validation on the cert specified this way, using the Truststore.
There is an enhancement request in the backlog (internal ref: b/390727569), to make it simpler to do these things (generate, verify, and verify trust).
Connect with your sales team if you want to discuss prioritization of this capability.