JWT Authentication handler is a custom implementation for securing the service/API with JWT assertion.
As illustrated in the above image, Client makes a request to API1 in WSO2 API Manager Gateway with the access token, Once the token validated in the WSO2 API Manager's Key Manager profile; it generates JWT assertion and passed to the API1 Service via Gateway. API1 Service needs to access another API2 in WSO2 API Manager Gateway but at the given time there will be no access token but only the JWT assertion. When the API1 Service invokes API2 with JWT assertion, JWT Authentication handler validates the signature and allow to invoke the API2 Service.
- Download JWTAuthenticationHandler-1.0.0.jar from dist directory, into <APIM_HOME>/repository/components/lib directory.
- Go to <APIM_HOME>/repository/deployment/server/synapse-configs/default/api/ directory and open the XML file which belongs to the API you want to add this handler.
- Locate handlers section and remove
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
- Replace with
<handler class="org.wso2.carbon.apim.custom.JWTAuthenticationHandler"> <property name="keystorePath" value="<APIM_HOME>/repository/resources/security/wso2carbon.jks"/> <property name="keystorePassword" value="wso2carbon"/> <property name="keyAlias" value="wso2carbon"/> </handler>
- Restart the server and invoke the API with X-JWT-Assertion header.
Want to contribute? Great! Send the pull request :) or fork and implement yours :D
$ git clone https://github.com/vanjikumaran/JWTAuthenticationHandler
$ cd JWTAuthenticationHandler/
$ mvn clean install
- Currently this handler only support the JWT assertion generated by WSO2; So we have evaluate possiblity of having dynamic claim mapping
- Support multiple Signature algorithm
Contributor | github |
---|---|
fazlan | https://github.com/fazlan-nazeem |
vanji | https://github.com/vanjikumaran |
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Free Software, Hell Yeah!