Design and Implementation
Important Points about Policy Structure
Refer to the API Policy Important Points about Policy Structure.
Claims Verification Policy Parameters
- Name: This field contains the policy name. In case of JWT claims verification policy, it is always "JWTClaimsVerificationPolicy".
- TokenExpiryOverride: This field defines time which overrides JWT expiry time.
- Iss: This field defines Issuer of the JWT.
- Aud: This field defines recipient for which the JWT is intended.
- NonStandardClaims: This field defines non standard claims to be match with JWT claims.
JWT Standard Claims
- iss (issuer): Issuer of the JWT
- sub (subject): Subject of the JWT (the user)
- aud (audience): Recipient for which the JWT is intended
- exp (expiration time): Time after which the JWT expires
- nbf (not before time): Time before which the JWT must not be accepted for processing
- iat (issued at time): Time at which the JWT was issued; can be used to determine age of the JWT
- jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)
Error Messages
This section lists error messages that are specific to JWT Claims Validation Policy. For a complete list of error messages, refer to the
API Policy Connector Error Messages.
| Error Name | HTTP Status Code | Cause |
|---|---|---|
| InvalidJWTClaimsPolicyArgumentTokenExpiryOverride | 403 | Token Expiry Override is not correct. |
| JWTClaimsPolicyArgumentTokenExpiryOverrideNotSpecified | 403 | Token Expiry Overrideis not specified. |
| InvalidJWTClaimsPolicyArgumentNonStandarnClaims | 403 | Defined Non Standard Claims are not correct. |
| JWTClaimsPolicyArgumentNonStandarnClaimsNotSpecified | 403 | Non Standard Claims are not specified. |
| InvalidJWTClaimsPolicyArgumentAudience | 403 | Defined Audience details are not correct. |
| JWTClaimsPolicyArgumentAudienceNotSpecified | 403 | Audience details are not specified. |
| InvalidJWTClaimsPolicyArgumentIssuer | 403 | Defined Issuer details are not correct. |
| JWTClaimsPolicyArgumentIssuerNotSpecified | 403 | Issuer details are notspecified. |
| NonStandardClaimIsNotAuthorized | 403 | Non Standard Claim is not authorized |
| AudIsNotAuthorized | 403 | Audience is not authorized |
| AudNotConfiguredInJWTToken | 403 | Audience is not configured in the incoming JWT token |
| InvalidIssWithMultipleValues | 403 | Incoming JWT token Issuer claim have multiple values |
| IssNotAuthorized | 403 | Issueris not authorized |
| IssNotConfiguredInJWTToken | 403 | Issuer is not configured in the incoming JWT token |
| IatGreaterThanCurrentTime | 403 | Time at which the JWT was issued is greater than current time |
| IatGreaterThanExpTime | 403 | Time at which the JWT was issued is greater than expiry time |
| IatIsNonNumeric | 403 | Time at which the JWT was issued is non numeric integer |
| TokenNotAllowedBeforeNbf | 403 | Token not allowed before Nbf |
| NbfIsNonNumeric | 403 | Nbf is non numeric integer |
| ExpIsNonNumeric | 403 | Expiry time is non numeric integer |
| TokenExpiryOverrideOrIatIsNonNumeric | 403 | Token Expiry Override or JWT Issued time is non numeric integer |
| TokenExpired | 403 | JWT token is expired |