mtrinath

JSON Web Token (JWT) Service

Blog Post created by mtrinath on Dec 26, 2015

We have Security Token Service and Identity/Service Providers policies available to demonstrate the STS and SAML capabilities of CA API Gateway. I believe there is a lack of policy to demonstrate the JSON Web Token capabilities using CA API Gateway as well for the benefit of everyone, which I tried to plug.

 

API Gateway have all the assertions to work with JSON Web Token, but this is an attempt to put some of them together so see JWT in action.

 

What does this service offer?

- generates a JWT either as a Cookie or as an HTTP Authentication Token (useful for cross-domain invocation) against an Internal Identity Provider and a private key on the Gateway

- validates the JWT i.e. says whether the token is valid or not, if invalid prompts to create one again

 

The Policy constitutes of three-parts

- while accessing the service if the client is not authenticated (no Cookie by name 'AUTHN' or 'Authentication' query string found), throw a login form

- validate the credentials against an Internal IdP, if valid, generate a JWT and store it in the Cookie or return the token in the HTTP Header

- if the client is already authenticated i.e. if JWT is found in the Cookie or as a token in the query string, validate the token, play it back and if invalid allow them to go back to the login page.

 

Generating the JSON Web Token

Following claims are set:

iss: The hosting server e.g. https://dnsname:port/

iat: set to current date time in millis

exp: set to iat + offset which is defined in the cluster-wide property jwt.age

jti: set to generated UUID

ip: set to client IP - this will be useful to ensure the token is being used from the same machine/IP which caused it to generate (i.e. token could not have been copied and used from a different machine)

userId: set to the user who has been authenticated

 

The payload is signed by the default SSL Key as shown below (private key must be one in the list Tasks -> Manage Private Keys).

The policy does not further encrypt the payload, this can be done too.

 

Once the token is generated, set it either in the Cookie or Header base on the property jwt.corscompatibility. If this is set to 'required', it will be set in the header or if set to 'optional' will be set in the Cookie.

 

Decoding JSON Web Token

 

- Retrieve the token (signed payload) from Cookie/query parameter

- Decoding the JWT requires property jwt.recipientkey to be set. This must be the public key corresponding to the private key using which JWT was encoded. This would be one in the list Task -> Manage Certificates. Mismatch between public and private key results in ${jwt.valid} being set to 'false'.

 

Validating the JSON Web Token

- Checks whether JWT is signed by a known private key

- Check if the token has expired

- Check if the request for validate is from the same client ip as that of request for generation

 

Importing the Policy

- Create a folder

- Publish Web API by name JSONWebTokenService with url path /jwt

- Import the policy attached

- ensure jwt.recipientkey, jwt.age in seconds and jwt.corscompatibility are set

 

Testing the Service

- Open browser hit https://somednsname:port/jwt, enter credentials and hit sign on

- The token along with the payload is displayed

- Clicking Refresh will re-run the service and if token found valid, displays the information again, if found invalid, sign-on screen is displayed

- Clicking Validate will re-run the service and if token found valid, displays the information again (same as Refresh), if found invalid, displays Invalid JWT Token with option to re-login

 

  Hopefully this service gives a jump start to those who are looking to use JWT for authentication in API Gateway. Happy to take any comments/suggestions and make amendments accordingly.

Outcomes