Design and Implementation
Implementation Details
- This connector fetches the value of Authorization header from incoming request and if the token is in the format: <String>.<String>.<String>, then the type of token is JWT else Mashery OAuth2 access token.
- If token type is Mashery OAuth2, then use Mapi locator service in Connector applying following logic:
- If token type is third-party JWT, then:
- Connector fetches the mandatory preInput configuration for jwks_uri and makes the call to fetch JWK (JSON Web Key) from JWKS (JSON Web Key Set).
- Depending upon response from previous call, perform the validation on JWT signature and expiry, else throw HTTP 403 error and exit.
- Depending upon the configuration of standard and non-standard claims, corresponding API request is accepted or blocked for augmented validation needed in business policies/rules.
- Connector optionally provides configuration for: inject_headers and injects the corresponding headers into the request.
- Connector optionally provides configurable capability to block/forward authorization header to backend/origin server.
Block Authorization Header Feature
Shared Token SPKey Feature
- At the endpoint, to authenticate the Mashery OAuth2.0 tokens generated from different API Service, add the below parameter in pre-input configuration:
shared_token_spkey:<SPKey of another API Service>
- Caution:
- If
shared_token_spkey is defined in pre-input configuration
- Service configuration is loaded using this shared token spkey and oauth2 context is created using this service configuration.
- Original spkey is stored and replaced by shared spkey.
- Mashery Mapi look-up is done using this shared spkey. After Mapi look-up, original spkey is restored in the service configuration.
Inject Headers Feature
Refer to the Inject Headers Feature section for JWT Authentication Connector.
Token Validation Rules and Checks
Refer to the Token Validation Rules and Checks section for JWT Authentication Connector.
Business Rules and Assumptions
Refer to the Business Rules and Assumptions section for JWT Authentication Connector.