Hi all,
Want to do both OAuth security validation and API validation(which i have done in my code using JWT token).
- I can able to do OAuth security validation for public access service.
- Now I am trying to do both OAuth validation and API validation(done using JWT), In this case I want to send two token (access token and JWT token) while hitting apigee. Need help to implement this.
Can i able to set access token in different key/in body so that i can set my JWT token in header authorization key. And it won’t affect my normal JWT validation.
Hi,
By default OAuth V2 policy expect access token to be present in Authorization HTTP request header.
You can change this behavior by setting the correct location of your access token in element of the OAuth policy configuration xml. Something like below.
<OAuthV2 async="false"
continueOnError="false" enabled="true" name="VerifyAccessToken">
<DisplayName>VerifyAccessToken</DisplayName>
<AccessToken>request.queryparam.access_token</AccessToken>
<Operation>VerifyAccessToken</Operation>
<Tokens/>
</OAuthV2>
Yes.
And the similar thing is possible with the VerifyJWT policy. There is the Source element, which allows you to specify an alternate place to look for the inbound JWT.
<VerifyJWT name='verify-01'>
<Algorithm>RS256</Algorithm>
<Source>request.header.MyToken</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<Value ref='public_key'/>
</PublicKey>
</VerifyJWT>
If you pass the JWT in the Authorization header, the Bearer prefix is optional - the VerifyJWT will work with or without the prefix. If you pass the JWT in any other header, there must be no prefix at all; the value of the header should be just the JWT itself.