Especially in multi-cloud environments it can be useful to have the option of verifying different JWT token providers in an API - for example to have an API that both consumers from Google Cloud and Microsoft Azure can call with their native JWT tokens from Google Cloud IAM and Azure AD respectfully.
We can support this in an Apigee proxy by first decoding the JWT Bearer token sent in the Authorization header, and then using a condition to execute either a JWT token verification from Google if the issuer claim is set to "
https://accounts.google.com", or executing a separate JWT token verification policy if the issuer is not set to Google (and for example validate Azure AD tokens).
This way both types of clients - native Google as well as Azure, can call the API with their native tokens and get authenticated to consume the API. This is of course just one way of solving the problem - another would be to align on Apigee JWT tokens as the unified way to accessing APIs, so the services would get their tokens from a unified /token endpoint from Apigee, and not from the native cloud provider. The nice thing though about our proxy handling is that we can support all or some of these options using conditional policies in our proxies with very little effort.
Here’s the link to a demo proxy for Google and Azure AD tokens: https://github.com/tyayers/apigee-gcp-azure-auth-example.