Layer7 API Management

  • Private Community

  • 1.  JWT Implementation

    Posted Jan 08, 2019 05:45 AM

    Hello, 

     

    I need to implement JWT, I think the flow should be like this:

    -- when  user logs in successfully ==> CA proxy will generate an ID token, Encode/Encrypt (?) it, send it back to user as a header response.

     

    Below are few queries :

    1. I am using Gateway version 9.4 . The policy manager has an assertion 'Generate ID token' with description 'Generate an ID token with JSON message. Also I see 'Generate and Validate an ID token' in CA API Management OAuth Toolkit - 4.2 . Which one to be used and what is the difference?

     

    2. If while processing the first request, ID token is created , encoded and sent back to user, then how is the flow while decoding the token ?

     

    3. When/why to use Json Web Key ?

     

    Thanks a lot.



  • 2.  Re: JWT Implementation

    Broadcom Employee
    Posted Jan 08, 2019 09:45 AM

    Hi Pramod,

     

    Are you planning on generating JWT's outside of the standard OAuth/OpenID flows?

     

    1. The Generate ID Token assertion is used to generate a standard JSON message with specific claims i.e: audience, subject, authorized party, etc.

     

    The JWT will need an extra step in using the 'Encode Json Web Token' assertion. This will Base64Url encode the message resulting in a compact, URL-safe token.

    ie. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

     

    2. You would need to decode the JWT, optionally decrypting it first and/or verifying the signature of JWS/JWE were used.

     

    3. JWK is a JSON data structure representing a key. Think something like a PEM file in JSON format. These keys can be included in a larger key set, JWKS, and it used along with JWT signing and encryption to verify a signature or decrypt the payload.

     

    A few articles that may help and a sample:

    How to sign a payload using Encode JSON web token - CA Knowledge 

    Encode JSON Web Token Assertion - CA API Gateway - 9.4 - CA Technologies Documentation 

    JWT Implementation 



  • 3.  Re: JWT Implementation

    Posted Jan 08, 2019 11:14 AM

    Hi Joe,

     

    Are you planning on generating JWT's outside of the standard OAuth/OpenID flows? -- Could you please explain it.



  • 4.  Re: JWT Implementation

    Posted Jan 08, 2019 11:19 AM

    Could you please share the docops url for Generate ID token assertion?



  • 5.  Re: JWT Implementation

    Broadcom Employee
    Posted Jan 08, 2019 11:43 AM

    Oddly, the only reference to this assertion I can find is in older OTK docs:

     

    Generate ID Token Assertion - CA API Management OAuth Toolkit - 3.1 - CA Technologies Documentation 

     

    Regarding my question, it was more an ask of your use case.

     

    If you are using our OpenID implementation then the OTK policies will generate the ID Token for you.

     

    For example, if you use the OAuth Authorization Code flow with a scope of OpenID, this will generate/encode the ID Token for you.

    OAuth Request Scenarios - CA API Management OAuth Toolkit - 4.3 - CA Technologies Documentation 

     

    Regards,

    Joe



  • 6.  Re: JWT Implementation

    Broadcom Employee
    Posted Jan 08, 2019 06:10 PM

    Hello,

    If you're talking about JWT access token, it's not available until OTK 4.3.

    And on otk 4.3, it's disabled by default.

    The document below should provide more details,

    Configure JWT Access Tokens - CA API Management OAuth Toolkit - 4.3 - CA Technologies Documentation 

     

    Regards,

    Mark