Generic JWT policy for apiman

I just pushed an initial (very simple) generic JWT authentication plugin policy to master. It should work with any JWT provider! Let me know how it works for you.


Update on 23/01/07: The JWT plugin has now been released to Maven, you can install it via:

G

io.apiman.plugins

A

apiman-plugins-jwt-policy

V

1.2.9.Final (or whatever the latest/matching version of apiman is)


Old Instructions:

Build and install

To try it out immediately you will need to build it from source. Just check out the apiman/apiman-plugins repo and execute:

mvn clean install

The plugin coordinates will be:

G

io.apiman.plugins

A

apiman-plugins-jwt-policy

V

1.2.9-SNAPSHOT

It isn’t yet as feature-rich as the Keycloak plugin, but you can:

  • Require JWT.

  • Require claims (e.g. sub = foo).

  • Require transport security (TLS, SSL).

  • Require JWT be cryptographically signed (aka. JWS).

  • Validate JWT against a provided public key.

  • Remove auth tokens (prevent them reaching the backend).

  • Set maximum clock skew.

I’ll expand on this in the near future to add some commonly-used features from the Keycloak plugin:

  • Extraction of roles for authorization

  • Forward token fields as headers (e.g. X-Sub = sub)

How to use it

Either:

  • Set the Authorization header as Authorization: Bearer <B64 encoded token>

  • Set the access_token query parameter as example.com?access_token=<B64 encoded token>

comments powered by Disqus