Hi all,
I have a jwt token genereated from a non-secure authentication url.
Now I have to verify whether it is valid and extract its expiry time by decoding it.
Guide me how to do it using a Javacallout policy vs Verify JWT token policy
Hi @honey P,
You can use VerifyJWT policy to validate JWT token.
I tested and validated one JWT token generated on this link - http://jwtbuilder.jamiekurtz.com/
using HS256 algorithm using below VerifyJWT policy. Make changes wherever necessary like secret key, subject, issuer, aud etc.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1">
<DisplayName>Verify JWT-1</DisplayName>
<Algorithm>HS256</Algorithm>
<Source>authn.jwt</Source>
<SecretKey>
<Value ref="private.key">qwertyuiopasdfghjklzxcvbnm123456</Value>
</SecretKey>
<Subject>jrocket@example.com</Subject>
<Issuer>Online JWT Builder</Issuer>
<Audience>www.example.com</Audience>
</VerifyJWT>
above policy expects {authn.jwt} variable, which has been extracted using ExtractVariable policy used before verifying JWT (refer attached proxy bundle for complete code); So pass your JWT token as header in this format Authorization:Bearer {jwt}.
Also note, above policy does not check additional claim, if you wish, you can use more properties mentioned on this documentation - https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#additionalclaimsclaim
Last but not the least - I have attached proxy bundle that I used to test this, you can refer this - 68558-v1-rev2-2019-05-09.zip
@Kuldeep Bhati : Thank you much. I have gone through your code and its working.
Also I would like to know how to implement it via Javacallout. I’m looking for a jar file (jwt-signed-edge-callout.jar)that I can use in my Javacallout policy that has below 4 properties
HS256
{token}
{Certificate}
{CliamIssuer}