JWT
JSON Web Token (JWT) is a JSON-based open standard (
RFC 7519) means of representing a set of information to be securely transmitted between two parties. A set of information is the set of claims (claim set) represented by the JWT. A claim set consists of zero or more claims represented by the name-value pairs, where the names are strings and the values are arbitrary JSON values.
Note: JWT authentication is supported for both REST and SOAP APIs.
The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure, enabling the claims to be digitally signed. JWTs can be signed using a shared secret (with HMAC algorithm), or a public or private key pair using RSA. API Gateway uses the RSA-based JWS to provide stronger integrity protection to JWTs.
API Gateway can generate a JWT token itself or validate the JWT token generated by a trusted third party server.
Structure of JSON Web Token
A JSON Web Token (JWT) consists of three components. These three components are Base64Url encoded and separated by dots. The JWT can be easily passed in the HTTP Authorization header.
Sample JSON Web Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.
gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
JWT Header
Contains the type of token, JWT, and the hashing algorithm used, RSA:
Token Value Encoded:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Token Value Decoded:
{
"typ": "JWT"
"alg": "RS256",
}
JWT Payload
Contains the claims relating to the authentication and identification of the client or the user:
Token Value Encoded:
eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9
Token Value Decoded:
{
"iss": "John Chris",
"sub": "Administrator",
"aud": "SAG",
"nbf": 1503039579,
"exp": 1503041379,
"iat": 1503039579
}
The following claims in the JWT token specify the unique identifying information for the JWT client:
Claim | Description |
iss | Issuer of the JWT. In API Gateway, this claim represents the Token issuer field in the JWT configuration page. |
sub | Subject of the JWT. This is the username of the end user. |
aud | Audience for the JWT. This must match the client_id of the application. In API Gateway, this claim represents the Audience field in the JWT configuration page. |
nbf | Time before which the JWT must not be accepted for processing. In API Gateway, this claim indicates the time at which the user has requested for JWT. |
exp | Time on or after which the JWT is set to expire. In API Gateway, this claim indicates the current time plus that expiry duration represented by the Expiry duration field in the JWT configuration page. |
iat | Timestamp when the JWT was issued. |
JWT Digital Signature
Contains the Base64url encoded JWS that is constructed using the JWT Header and Payload.
Token Value Encoded:
gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
Token Value Decoded:
RSA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)