Generating JSON Web Token (JWT)
- Former user (Deleted)
Given below is the configuration related to API Manager JWT generation found in <APIM_HOME>/repository/conf/api-manager.xml file.
<APIConsumerAuthentication>
<SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableTokenGeneration>true</EnableTokenGeneration>
</APIConsumerAuthentication>
Let's take a look at each parameter in the XML file in detail.
EnableTokenGeneration
| XML Syntax | <EnableTokenGeneration/> |
|---|---|
| Description | Used to enable or disable JWT generation. |
| Type | Boolean |
| Default Value | false |
| Fixed Values | true/false |
| Mandatory/Optional | Optional |
SecurityContextHeader
| XML Syntax | <SecurityContextHeader/> |
|---|---|
| Description | This is the name of the HTTP header to which the JWT is attached. |
| Type | String |
| Default Value | X-JWT-Assertion |
| Fixed Values | N/A |
| Mandatory/Optional | Optional |
ClaimsRetrieverImplClass
| XML Syntax | <ClaimsRetrieverImplClass/> |
|---|---|
| Description | By default, there is a set of values that are encoded to the JWT. They are subscriber name, application name, api context, api version, authorized resource owner name. In addition to these values, an extensible interface is also provided to encode any attribute of the user, required by the JWT. The fully-qualified name of the Interface is: 'org.wso2.carbon.apimgt.impl.token.ClaimsRetriever'. The methods provided in the interface are:
This method is executed once right before the very first request. Any initialization tasks can be performed here.
This method returns a SortedMap of claims. The key of the Map should indicate the 'user attribute name' and the value should indicate the corresponding 'user attribute value'. The order in which these keys and values are encoded depends on the ordering defined by the SortedMap.
This is the dialect URI to which the attribute names returned by the getClaims() method are appended to. For example, The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI http://wso2.org/claims and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes. |
| Type | String |
| Default Value | org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever |
| Fixed Values | N/A |
| Mandatory/Optional | Optional |
ConsumerDialectURI
| XML Syntax | <ConsumerDialectURI/> |
|---|---|
| Description | This is the dialect URI under which the user's claims will be looked for. This only works with the default value of <ClaimsRetrieverImplClass> element. |
| Type | String |
| Default Value | N/A |
| Fixed Values | N/A |
| Mandatory/Optional | Optional |
SignatureAlgorithm
| XML Syntax | <SignatureAlgorithm/> |
|---|---|
| Description | The signing algorithm used for signing the JWT. The general form of the JWT is {…...}.{......}.{......} - Three strings delimited by periods. When NONE is used as the signing algorithm, the JWT would look as {…..}.{.....} - Two strings delimited by a period and a period at the end. |
| Type | String |
| Default Value | SHA256WITHRSA |
| Fixed Values |
|
| Mandatory/Optional | Optional |