Backend JWT Manipulation Policy via CRs¶
You need to create an APIPolicy
with referencing to a BackendJWT
resource under override
or default
sections in APIPolicy.spec
. Then you need to create the BackendJWT
custom resource with required properties. This policy can be used on both the SYSTEM_API
and non system APIs separately. To find more information about backend JWT generation, please refer to the Passing End User Attributes to the Backend.
Step 1 - Create the CRs¶
Sample code snippet¶
The following is a code snippet of sample APIPolicy
CR.
apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
name: backend-jwt-api-policy
spec:
default:
backendJwtPolicy:
name: backend-jwt
targetRef:
group: dp.wso2.com
kind: API
name: sample-api-uuid
The following is a code snippet of sample BackendJWT
CR.
apiVersion: dp.wso2.com/v1alpha1
kind: BackendJWT
metadata:
name: backend-jwt
spec:
customClaims:
- claim: claim1
type: string
value: value1
- claim: claim2
type: string
value: value2
encoding: Base64
header: X-JWT-Assertion
signingAlgorithm: SHA256withRSA
tokenTTL: 3600
Configuration definitions¶
The following are the configurations that you need when attaching API Policies to an API when working with CRs:
-
backendJwtPolicy
backendJwtPolicy
defines the reference forBackendJWT
CR in theAPIPolicy
CR. If this property is not defined in the configuration file, backend jwt token generation won't get executed.Configuration Description encoding
You can use this value to configure token encoding mechanism signingAlgorithm
You can use this value to configure the signing algorithm for the token header
You can use this value to configure the header which carries the token in the backend reques tokenTTL
You can use this value to configure the time to live propery on the jwt token customClaims
You can use this value to configure the claims that needs to be sent to the backend
Step 2 - Apply the CRs¶
Apply CRs to the Kubernetes API server using the kubectl.
kubectl apply -f <path-to-crs>
kubectl apply -f developer/tryout/samples/