Layer7 API Management

  • 1.  How to implement JWT? what is the flow starting from receiving request from consuming application?

    Posted Mar 06, 2018 10:39 PM

    I know there are plenty of explanation already regarding JWT implementation and i've gone through few as well, but i'm getting more confused to co relate those encode/decode assertions with grant type provided in OTK. I simply need to give the JWT back to consuming application once i receive base64 encoded private key in request. can please someone explain from where to start? i already have installed OTK, also if someone can explain what all parameters client needs to provide.



  • 2.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Broadcom Employee
    Posted Mar 07, 2018 09:46 AM

    Hello,

     

    Can you provide some more detail on your requirements? Are you simply looking to encode a JWT and send it back to the client? Or looking to include an ID token as part of the OAuth response? ie: generate an ID Token as part of the auth code flow or something of that nature.

     

    Regards,

    Joe



  • 3.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Posted Mar 08, 2018 03:13 AM

    Hi Joe,

     

     

    We will be getting private key in request from client application, based on which we need to generate JWT token for authorization purpose and afterwards based on validation of JWT we need to return the access token which is generated with JWT grant type, probably i might have misunderstood something here, if you can give some insights/steps which we need to start with.



  • 4.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Posted Mar 08, 2018 09:34 AM

    HI Joe,

     

    We were able to implement the flow partially, which goes like below:

    Client Request consist of:

    grant_type(urn:ietf:params
    :oauth:grant-type
    :jwt-bearer
    ), assertion and scope
    where assertion is holding below parameters:

     

    [Algorithm,

    claim: iss,aud,exp,iat]

    {only above mentioned properties will be provided in request by client}

    after getting this request we're decoding it and making request for token generation to /auth/oauth/v2/token with below parameters:

     

    Header: Authorization: Basic base64(client_id:client_secret) 

    Body:

    grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz.......&scope=scope

     

    We've tried giving client_id and secret within body as well, but we're getting below error:

     

    { "error":"login_required", "error_description":"The resource owner could not be authenticated due to missing or invalid credentials" }

     

    could you please tell what might be missed here?

     

    Thanks !

     



  • 5.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Broadcom Employee
    Posted Mar 08, 2018 11:35 AM

    Thank you for clarifying. So in your 2nd post the issue seems to be with the id token being presented as part of the request.

     

    Was this token generated from the Gateway? Only an id_token (JWT) that was issued by the OAuth server will be accepted here. This grant type assumes you are in possession of an id token generated by the OTK otherwise it can not be used to validate the resource owner which results in the message you provided.

     

    Regards,

    Joe



  • 6.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Broadcom Employee
    Posted Mar 08, 2018 12:06 PM

    The default configuration of OTK is that the urn:ietf:params:oauth:grant-type:jwt-bearer grant type  checks if the iss claim in the JWT is equal to the iss set as part of OTK configuration and if so uses the client_secret to decode the JWT and verify the signature.

     

    To use JWT id_token that are not generated on the gateway you need to add logic in the "OTK id_token Validation - CUSTOM ISS" policy to  validate the id_token. 

     

    Another option is to define a custom grant type to be used for accepting JWT and validation of a non id_token JWT that was not issued by the gateway. 



  • 7.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Posted Mar 08, 2018 12:48 PM

    HI All,

    Thanks for your answers.To be more precise to the question jay asked.Our requirement is in such a way that currently we are migrating to ca gateway from other gateway.The logic implemented was is such a way that a mobile app is sending following details to the gateway grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=&scope=.The gateway responds with the token.Now is the same can be implemented in ca api gateway with above params.If so is there any process detailed for it.



  • 8.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?
    Best Answer

    Broadcom Employee
    Posted Mar 08, 2018 02:00 PM

    Yes it can be done by implementing a custom grant type logic. the out of box OTK  logic for urn:ietf:params:oauth:grant-type:jwt-bearer will always fail if the id_token is not generated by the gateway as the id_token validation fails to find the token and in the token store. 

     

    To allow third party JWT to be used to issue new access tokens you would treat this as a custom grant type and add logic to validate the JWT. Even after the default JWT validation fails the policy continues verification against other grant types and eventually fails if none are successful. 

     

    You can follow the process here Support Custom Grant Types - CA API Management OAuth Toolkit - 4.2 - CA Technologies Documentation 

     

    You can add your own custom grant type that client would specify or if you define your custom grant type to use the same urn:ietf:params:oauth:grant-type:jwt-bearer grant type the custom logic will be executed if the OOB does not work. 

     

    Barry



  • 9.  Re: How to implement JWT? what is the flow starting from receiving request from consuming application?

    Broadcom Employee
    Posted Mar 08, 2018 11:44 AM

    I should also mention, to generate an id token from the server you can use the authorization code or implicit grants (and hybrid depending on the OTK version).

     

    I.e.: for authorization code, follow the same steps but include a scope of openid to generate the id token.

    Implicit requires a response_type of token id_token

     

    Regards,

    Joe