Layer7 API Management

  • 1.  OTK - JWT as the access token possible?

    Posted Sep 07, 2017 02:02 PM

    We are working on possibly implementing OAuth for apps. One of the big sets of applications requested that the OAuth access_token itself be a signed JWT with claims such as Groups, Phone Number, etc (similar to how ADFS does it).

     

    What the apps want to do is be able to independently verify the access_token and get the information they need without going back to the OAuth Provider introspection endpoint. Just verify the issuer/aud/signature/time etc to say whether it's good or not. 

     

    However, looking at the OTK it essentially sends an access_token that is only able to be validated by the API Gateway itself. So they have to either be front-ended by the API Gateway itself (which they don't want) or send a request to the tokeninfo endpoint to get details on it. 

     

    Is that possible with the OTK? Any documentation on how to do so if it is or something we'd have to fully customize?



  • 2.  Re: OTK - JWT as the access token possible?
    Best Answer

    Posted Oct 06, 2017 06:29 PM

    Hi!

    This is a question we often receive. The good news: it is on our backlog and OTK will support JWT access_token in the future. For the current version (OTK-4.1) it is not supported out of the box and has to be implemented by yourself.

    To get started you could try a change OTK to issue JWT based token but not validate them since you are not planning on doing that anyways.

    Open /auth/oauth/v2/token and look for the assertion "Return Template Response to Requestor" assertion around line 114. It is the one sending the response back to the client.

    One line earlier, add an "All assertions ... " assertion and implement your logic to create a JWT. Now, use a regular expression assertion to replace "access_token":"somevalue", with "access_token":"your-jwt", do that on the variable "clientResponse". Play around with this and you will issue JWT based access_token. This is certainly not a perfect or maintainable approach on the long run but it should enable you to experience the behaviour.

    Once OTK supports this out of the box you will be able to get this going easily.



  • 3.  Re: OTK - JWT as the access token possible?

    Posted Oct 09, 2017 10:34 AM

    Awesome, thanks for the update on that. Will give that a try to test with; we'd want to wait for it to be in the official release for implementing for apps of course.

     

    Having the individually verifiable JWT will give us additional integration options for the myriad of different requirements app teams can come up with



  • 4.  Re: OTK - JWT as the access token possible?

    Posted Apr 25, 2018 07:27 AM

    Just wanted to check if this feature is supported now in OTK 4.2?



  • 5.  Re: OTK - JWT as the access token possible?

    Posted Apr 25, 2018 12:03 PM

    It will be available in the next OTK. I cannot promise dates, but it won't be too long now.



  • 6.  Re: OTK - JWT as the access token possible?

    Posted Apr 26, 2018 10:45 AM

    Wooo good to know it's getting close. Are there any use case details that could be provided?

     

    E.g., Will we be able to fully modify the claims contained within the access token so we can customize it for adding like user's email and groups? And will the audience be available on it and if so how is it populated (since the aud of an access_token would be the web api, not the client itself)?

     

    If you want a use case comparison, what apps have largely asked for from us is similar to the ADFS 4.0 setup (JWT with Web API as aud claim, on behalf of, etc).



  • 7.  Re: OTK - JWT as the access token possible?

    Posted Apr 30, 2018 07:14 PM

    Yes, wooo, it is about time :-)

    Yes, audience can be set to the web API. But, of course, only if you know which API is going to be used at. I will check out the ADFS 4.0 setup. Thanks!