Search Results

Configuring Endpoint Call Processing

To configure JWT Authentication call processing for an endpoint:
  1. From the TIBCO Cloud Mashery Control Center dashboard, navigate to Design > API Definitions, then click the desired API definition from the list.

  2. Click an existing endpoint on the Endpoints page.

  3. Click Call Transformations in the left-hand menu.

  4. In the Call Transformations page, specify the following information in these fields:
    • Processing Adapter: com.mashery.proxy.customer.generic.JWTAuthProcessor
    • Perform Pre-Processing: Enabled
    • Data to make available for pre-processing: (one per line)
    Data Example Notes
    public_key_request_path:<path location> public_key_request_path: http://content.mock.mashery.com/stest/test/AJ792_MAIF_CLIENTPUBKEY.json Mandatory; Request path for JWKS (JSON web key set) location.
    public_key_ttl: <minutes> public_key_ttl: 5 Mandatory; In minutes.
    token_expiry_override: <minutes> token_expiry_override: 5 Optional; In minutes.
    iss: <string> iss: https://issuer1.com, https://issuer2.com Optional; string values.
    aud: <string> aud: Google, Facebook, Yahoo Optional; string values.
    nonstandard_claims: {"<HEADER1_NAME>":"<CLAIM1_NAME>","<HEADER2_NAME>":"<CLAIM2_NAME>",..} nonstandard_claims: {"Groups":"Group1, Group2", "Whitelisted":"abc.com, xyz.com"} Optional: key:value pair.
    inject_headers: {"<HEADER1_NAME>":"<CLAIM1_NAME>","<HEADER2_NAME>":"<CLAIM2_NAME>",..}. inject_headers: {"Audience":"aud","Issuer":"iss"} Optional: key:value pair.
    block_authorization_header:<true/false> block_authorization_header : true Optional; boolean values - true or false. Default Value - false
    http_proxy_server : <string> http_proxy_server : squid.example.com Optional; String values. Proxy Server to retrieve JWKS.
    http_proxy_port : <integer> http_proxy_port : 3128 Optional; Integer value.Proxy Server Port to retrieve JWKS.
    customizeErrorEnable:<true/false> customizeErrorEnable : true Support of configurable parameter customizeErrorEnable to control error response code sent by TIBCO Mashery.

    JWT Authentication Connector returns ERR_403_NOT_AUTHORIZED in case of error. If customizeErrorEnable is configured as "true", HTTP response status code and status text for connector is overridden by error set defined for that endpoint in Mashery Control Center. If customizeErrorEnable is configured with value other than "true", then there is no change in Mashery Connector existing functionality that responds with ERR_403_NOT_AUTHORIZED for backend server response code with 403 for unauthorized calls.



  5. Click Save when done.
Note:
  • There should be no space between two nonstandard claims and two inject headers.
    • Ex - nonstandard_claims: {"Groups":"Group1, Group2" , "Whitelisted":"abc.com, xyz.com"} and inject_headers: {"Audience":"aud" , "Issuer":"iss"} will not work.
  • Special character ":" is not allowed in header name.
  • Proxy port can be specified either in http_proxy_server as "http_proxy_server : squid.example.com:3128" or as different parameter like "http_proxy_port : 3128". In case proxy port is specified on both locations, then preference is given to the value of "http_proxy_port".