Skip to content

Backend JWT Manipulation Policy via CRs

You need to create an APIPolicy with referencing to a BackendJWT resource under override or default sections in APIPolicy.spec. Then you need to create the BackendJWT custom resource with required properties. This policy can be used on both the SYSTEM_API and non system APIs separately. To find more information about backend JWT generation, please refer to the Passing End User Attributes to the Backend.

Step 1 - Create the CRs

Sample code snippet

The following is a code snippet of sample APIPolicy CR.

  apiVersion: dp.wso2.com/v1alpha1
  kind: APIPolicy
  metadata:
    name: backend-jwt-api-policy
  spec:
    default:
      backendJwtPolicy:
        name: backend-jwt
    targetRef:
      group: dp.wso2.com
      kind: API
      name: sample-api-uuid

The following is a code snippet of sample BackendJWT CR.

  apiVersion: dp.wso2.com/v1alpha1
  kind: BackendJWT
  metadata:
    name: backend-jwt
  spec:
    customClaims:
    - claim: claim1
      type: string
      value: value1
    - claim: claim2
      type: string
      value: value2
    encoding: Base64
    header: X-JWT-Assertion
    signingAlgorithm: SHA256withRSA
    tokenTTL: 3600

Configuration definitions

The following are the configurations that you need when attaching API Policies to an API when working with CRs:

  • backendJwtPolicy

    backendJwtPolicy defines the reference for BackendJWT CR in the APIPolicy CR. If this property is not defined in the configuration file, backend jwt token generation won't get executed.

    Configuration Description
    encoding You can use this value to configure token encoding mechanism
    signingAlgorithm You can use this value to configure the signing algorithm for the token
    header You can use this value to configure the header which carries the token in the backend reques
    tokenTTL You can use this value to configure the time to live propery on the jwt token
    customClaims You can use this value to configure the claims that needs to be sent to the backend

Step 2 - Apply the CRs

Apply CRs to the Kubernetes API server using the kubectl.

kubectl apply -f <path-to-crs>
kubectl apply -f developer/tryout/samples/