Backend JWT Manipulation Policy via APK Conf¶
Step 1 - Get the API configuration¶
Save the following content into a file named TestBackendJWT.apk-conf
. You can use this apk-conf file for the rest of this guide.
name: "test-backend-jwt"
basePath: "/backend-jwt"
version: "1.0"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://httpbin.org/anything"
operations:
- target: "/test"
verb: "GET"
secured: true
scopes: []
Step 2 - Add the API Policy for Backend JWT¶
A sample API Policy used for sending a JWT to the backend is given below.
apiPolicies:
request:
- policyName: "BackendJwt"
parameters:
encoding: Base64
signingAlgorithm: SHA256withRSA
header: X-JWT-Assertion
tokenTTL: 3600
customClaims:
- claim: claim1
value: value1
- claim: claim2
value: value2
The configurations that you need when attaching API Policies for Backend JWT manipulation are available in Backend JWT Configurations section.
The above policy will send the following claims to the backend under the header "X-JWT-Assertion".
{
claim1: value1
claim2: value2
}
The sample APK configuration content after the modification is shown below.
name: "test-backend-jwt"
basePath: "/backend-jwt"
version: "1.0"
type: "REST"
defaultVersion: false
endpointConfigurations:
production:
endpoint: "https://httpbin.org/anything"
operations:
- target: "/test"
verb: "GET"
secured: true
scopes: []
apiPolicies:
request:
- policyName: "BackendJwt"
parameters:
encoding: Base64
signingAlgorithm: SHA256withRSA
header: X-JWT-Assertion
tokenTTL: 3600
customClaims:
- claim: claim1
value: value1
- claim: claim2
value: value2
Step 3 - Deploy the API in APK¶
Refer to the Deploy the API to deploy the API using APK configuration.
Step 4 - Generate an Acess Token¶
Follow the Generate Access Token documentation to generate an access token.
Step 5 - Invoke the API¶
You can invoke the API using the following command.
curl --location 'https://default.gw.wso2.com:9095/backend-jwt/1.0/test' \
--header 'Host: default.gw.wso2.com' \
--header 'Authorization: Bearer <accessToken>
Since this guide uses the httpbin service which echoes the request and all of its headers,you will see a response similar to the following when you invoke the API. The header "X-Jwt-Assertion" contains the generated JWT containing the claims.
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip, deflate, br",
"Host": "httpbin.org",
"X-Jwt-Assertion": "eyJraWQiOiI4.....9UcOovptvkajf6xUqUbIJfMQp9g"
}
Backend JWT API Policy configuration¶
The configurable fields of the above API policy have been described below.
Field | Description |
---|---|
encoding | The encoding mechanism used to encode the Backend JWT. |
signingAlgorithm | The signing algorithm used to sign the Backend JWT. |
header | The name of the HTTP header to which the Backend JWT is attached and sent to the backend. |
tokenTTL | The expiry time of the Backend JWT. |
customClaims | List of custom claims that needs to be added to the Backend JWT. |
claim | Name of the claim to send in the BackendJWT. |
value | Value of the claim to send in the BackendJWT. |