To authenticate endusers, the API Manager passes attributes of the API invoker to the backend API implementation. JSON Web Token (JWT) is used to represent claims that are transferred between two partiesthe enduser and the backend. A claim is an attribute of the user that is mapped to the underlying user store. A set of claims is called a dialect (e.g., http://wso2.org/claims). JWT is standardised, light-weight, easy to parse and consume and can be signed. The general format of the a JWT is {token infor}.{claims list}.{signature}. For more information on JWT, look here.The API Manager uses JWT to pass attributes of the API invoker to the backend API implementation. The API implementation can use implementation uses information such as logging, content filtering and authentication/authorization that are is stored in this token. The token is Base64-encoded and sent to the API implementation in a HTTP header variable. For more information on JWT, look here.
An example of the a JWT passed in the API Manager is given below:
| Code Block |
|---|
{
"typ":"JWT",
"alg":"NONE"
}{
"iss":"wso2.org/products/am",
"exp":1345183492181,
"http://wso2.org/claims/subscriber":"admin",
"http://wso2.org/claims/applicationname":"app2",
"http://wso2.org/claims/apicontext":"/placeFinder",
"http://wso2.org/claims/version":"1.0.0",
"http://wso2.org/claims/tier":"Silver",
"http://wso2.org/claims/enduser":"sumedha"
} |
As shown in the above example, the The above token contains,
- Token expiration time ("exp")
- Subscriber to the API, usually the app developer ("http://wso2.org/claims/subscriber")
- Application through which API invocation is done ("http://wso2.org/claims/applicationname")
- Context of the API ("http://wso2.org/claims/apicontext")
- API version ("http://wso2.org/claims/version")
- Tier/price band for the subscription ("http://wso2.org/claims/tier")
- Enduser of the app who's action invoked the API ("http://wso2.org/claims/enduser")
...