Skip to content
This repository has been archived by the owner on Aug 10, 2022. It is now read-only.

Latest commit

 

History

History
executable file
·
164 lines (92 loc) · 6.96 KB

Readme.md

File metadata and controls

executable file
·
164 lines (92 loc) · 6.96 KB

API Security : JWT

Duration : 15 mins

Persona : API Team/Security

Use Case

You have an API that is consumed by third parties. You want to secure that API using JSON Web Tokens aka JWTs.

How can Apigee Edge help?

Both JWS (JSON Web Signature) and JWT (JSON Web Token) are commonly used ways to share claims or assertions between connected applications in a secure fashion. Apigee Edge provides support for JWS and JWT via out-of-the-box policies. The JWS/JWT policies enables Edge API proxies to:

  • Generate a signed JWT or JWS
  • Verify a signed JWT or JWS and claims within the JWS/JWT
  • Decode a signed JWT or JWS without validating the signature

For more information on JWS and JWT support in Apigee visit the documentation page here: https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview

Prerequisites

  • Have completed Module-2b Lab 3.

Instructions

  1. Go to https://apigee.com/edge and log in. This is the Edge management UI.

  2. Select EnvironmentsKey Value Maps in the side navigation menu:

image alt text

  1. Ensure the environment configuration is set to test, and click the +Key value map button in the upper right corner of the screen:

image alt text

  1. Enter "jwt-secret-key" (must be this name exactly) as the Name in the text box and click Add:

image alt text

  1. Now that the key value map is created, we need to add a Shared Secret. Click to select the key value map:

image alt text

  1. Click the + button to add a key value pair to the map:

image alt text

  1. Enter the key name as "secret" and the value as "Apigee123", and then click Add:

image alt text

  • This shared secret will be used to both generate and verify JWT tokens using the HS256 algorithm.
  1. Select DevelopAPI Proxies from the side navigation menu:

image alt text

  1. Click the +Proxy button on the top-right corner to invoke the Create Proxy wizard.

image alt text

  1. Click on Upload Proxy bundle to import an existing proxy form a zip archive:

image alt text

  1. Download the Apigee proxy "JWT.zip" that generates and verifies JWTs from here. Then choose Click or Drag, and select the file you just downloaded “JWT.zip". Then click Next:

image alt text

  1. Click Create:

image alt text

  1. Click on Edit Proxy at the bottom of the page:

image alt text

  1. Deploy the JWT proxy by clicking on the Deployment dropdown and selecting the test environment.

image alt text

  1. Click on the Develop tab:

image alt text

  1. You can see that the JWT proxy has two endpoints defined as conditional flows:
  • Generate JWT (/token) to generate a JWT
  • Verify JWT (/verify) to verify a JWT

Check both flows and read the JWT policies to get a deeper understanding of how they work (reference links available at the end of the lab). Then click the Trace tab:

image alt text

  1. Use the Start Trace Session button to turn on tracing for the JWT proxy:

image alt text

  1. Next, send a request to the /token endpoint to generate a valid JWT. You can send this request either using a REST client like the one here, or by using the curl command from a terminal. The HTTP request to send is:
POST /v1/jwt/token HTTP/1.1
Host: {{org-name}}-{{env}}.apigee.net
Content-Length: 0
  • Replace {{org-name}} with your actual Apigee org name, and {{env}} with the deployment environment for your proxy (eg. test)

Here is an example curl command (you will need to replace values as described above):

curl -X POST -H "Content-Length: 0" https://{{org-name}}-{{env}}.apigee.net/v1/jwt/token

image alt text

  • You should see a token received in HTTP response. Copy the token value (without the surrounding quotes) and review the Trace tool to understand what happened.
  1. Go to http://jwt.io. Type the shared secret you configured earlier (e.g. Apigee123 unless you changed it) in the Verify Signature box. Then paste the token in the Encoded field (ensure the algorithm is HS256):

image alt text

  1. Now verify the token using the /verify proxy endpoint in Apigee. Use the same REST tool or curl to do so. The HTTP request is:
POST /v1/jwt/verify HTTP/1.1
Host: {{org-name}}-{{env}}.apigee.net
Content-Length: 0
token: {{token}}
  • Replace {{org-name}} with your actual Apigee org name, and {{env}} with the deployment environment for your proxy (eg. test)

  • Replace {{token}} with the value of the JWT

Here is an example curl command (you will need to replace values as described above):

curl -X POST -I -H "Content-Length: 0" -H "token: {{token}}" https://{{org-name}}-{{env}}.apigee.net/v1/jwt/verify

image alt text

  • If you get a 200 response code, the JWT is valid (as expected). Again, review the Trace tool to understand what happened.

Earn Extra Points

Change the JWT token generation policy to include additional claims (iss, aud, sub, extra claims) in it, to see how the behavior changes.

You can also try to tamper with the resultig JWT (add/remove characters) and invoke the same /verify API call again. What happens?

Summary

In this lab, you learned how to use Apigee's out of the box JWT policies to both generate and verify a JWT. Now you can use these policies to actually secure an API using JWT security. To do so, you would first want to authenticate a user against their IdP (which also contains "claims" about that user/principal) before calling GenerateJWT and issuing the JWT with claims back to that user (for simplicity, we skipped the user authentication step in this lab and hard coded the claims). The API that is protected would invoke VerifyJWT (either directly or via an Apigee endpoint) to verify the JWT and read/verify its claims.

References

You may now proceed to Lab 5.