Backend JWT Manipulation Policy via CRs¶
You need to create an APIPolicy with referencing to a BackendJWT resource under override or default sections in APIPolicy.spec. Then you need to create the BackendJWT custom resource with required properties. This policy can be used on both the SYSTEM_API and non system APIs separately. To find more information about backend JWT generation, please refer to the Passing End User Attributes to the Backend.
Step 1 - Create the CRs¶
Sample code snippet¶
The following is a code snippet of sample APIPolicy CR.
apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
name: backend-jwt-api-policy
spec:
default:
backendJwtPolicy:
name: backend-jwt
targetRef:
group: dp.wso2.com
kind: API
name: sample-api-uuid
The following is a code snippet of sample BackendJWT CR.
apiVersion: dp.wso2.com/v1alpha1
kind: BackendJWT
metadata:
name: backend-jwt
spec:
customClaims:
- claim: claim1
type: string
value: value1
- claim: claim2
type: string
value: value2
encoding: Base64
header: X-JWT-Assertion
signingAlgorithm: SHA256withRSA
tokenTTL: 3600
Configuration definitions¶
The following are the configurations that you need when attaching API Policies to an API when working with CRs:
-
backendJwtPolicybackendJwtPolicydefines the reference forBackendJWTCR in theAPIPolicyCR. If this property is not defined in the configuration file, backend jwt token generation won't get executed.Configuration Description encodingYou can use this value to configure token encoding mechanism signingAlgorithmYou can use this value to configure the signing algorithm for the token headerYou can use this value to configure the header which carries the token in the backend reques tokenTTLYou can use this value to configure the time to live propery on the jwt token customClaimsYou can use this value to configure the claims that needs to be sent to the backend
Step 2 - Apply the CRs¶
Apply CRs to the Kubernetes API server using the kubectl.
kubectl apply -f <path-to-crs>
kubectl apply -f developer/tryout/samples/