AnsweredAssumed Answered

About JWT authorization flow design concept...

Question asked by Bravomao on Nov 3, 2018
Latest reply on Nov 6, 2018 by Bravomao


I'm helping a customer to create a REST to SOAP service in a gateway.

In the meantime, the customer asks me to add a JWT mechanism in the policy. I have searched the community and found some useful information.

Here's the flow I'm going to do. Just want to make sure I'm not doing something wrong 


1. Add require authentication in policy and authenticate the user input.

2. If the user is authenticated, use Generate ID Token assertion to generate a Token.

3. Use Encode JSON Web Token assertion to encode the token and set the result to a variable(${signed}).

4. Respond the variable(${signed}) to the client. (I have no idea how to set up the response.)

5. Receive the request from the client and retrieve the variable(${signed}) from the HTTP header's Authorization field.

6. Use Decode JSON Web Token to validate the variable(${signed}) and set the result to a variable(${verified}).

7 Check the variable(${verified}).

7. If the verified.valid is true, pass the request to the backend SOAP server. In contrast, send a HTTP 401 message to the client.


Is my thought correct?


Best Regards,