Documentation
 

Search Results

Design and Implementation

Sequence Diagram



Sequence Diagram With Mashery WhiteList Connector Chaining (Sample Reference)



Implementation Details

  1. This connector fetches the value of Authorization header from incoming request and if the token is in the format: <String>.<String>.<String>, then the type of token is JWT else Mashery OAuth2 access token.
  2. If token type is Mashery OAuth2, then use Mapi locator service in Connector applying following logic:
    1. Set service endpoint OAuth grant types to 'client_credentials', 'authorization code', 'implicit' and 'Password'. (As Endpoint configuration doesn't have a way to select grant type credentials).
    2. Proceed with Mashery OAuth2 authentication flow and exit.
  3. If token type is third-party JWT, then:
    1. Fetch the API key (client_id) from JWT payload claim (configurable in the Mashery Endpoint Key & Method Detection page) and do validation, else throw HTTP 403 error and exit.
  4. Connector fetches the mandatory preInput configuration for jwks_uri and makes the call to fetch JWK (JSON Web Key) from JWKS (JSON Web Key Set).
    1. If optional http_proxy_server specified in the pre-input configurations, call to retrieve JSON Web Key Set (JWKS) is made through proxy.
  5. Depending upon response from previous call, perform the validation on JWT signature and expiry, else throw HTTP 403 error and exit.
  6. Depending upon the configuration of standard and non-standard claims, corresponding API request is accepted or blocked for augmented validation needed in business policies/rules.
  7. Connector optionally provides configuration for: inject_headers and injects the corresponding headers into the request.
  8. Connector optionally provides configurable capability to block/forward authorization header to backend/origin server.

Block Authorization Header Feature

  • If "block_authorization_header" in pre-input is true, then after JWT token validation, "Authorization" header is removed from the request which will be sent to the backend client resources.
  • Default value of "block_authorization_header" is true.

Shared Token SPKey Feature

  • At the endpoint, to authenticate the Mashery OAuth2.0 tokens generated from different API Service, add the below parameter in pre-input configuration: 
    shared_token_spkey:<SPKey of another API Service>
  • Caution:
    • There is no need to chain with: com.mashery.proxy.customer.generic.oauth2-shared-token-adapter.
    • Provide this preinput parameter only when OAuth2 tokens generated from another API Service needs to be validated at this endpoint.
  • If shared_token_spkey is defined in pre-input configuration
    • Service configuration is loaded using this shared token spkey and oauth2 context is created using this service configuration.
    • Original spkey is stored and replaced by shared spkey.
    • Mashery Mapi look-up is done using this shared spkey. After Mapi look-up, original spkey is restored in the service configuration.
Note: You can find the value of 'shared_token_spkey' easily by taking the 'API Definition' ID from the URL in the browser: (Sample reference)

Inject Headers Feature

Refer to the Inject Headers Feature section for JWT Authentication Connector.

Token Validation Rules and Checks

Refer to the Token Validation Rules and Checks section for JWT Authentication Connector.

Business Rules and Assumptions

Refer to the Business Rules and Assumptions section for JWT Authentication Connector.