JWT Workflow
The JSON Web Token (JWT) flow has the following steps:
1. Client application sends an authentication request with required user credentials like username and password, to API Gateway or to any third-party JWT issuer, to obtain a JWT token.
The JSON Web Token endpoint in API Gateway is:
<hostname>:<port>/rest/pub/apigateway/jwt/getJsonWebToken
2. If API Gateway is the JWT issuer, then it validates the user credentials. If the user credentials are valid, API Gateway generates the JSON token using a private key that was specified in the JWT configuration, and sends the generated token to the client.
If the user credentials are invalid, API Gateway returns a specific error response.
3. Client sends the generated JSON token in the HTTP Authorization request header to access the protected API in API Gateway.
4. API Gateway validates the JSON token using the same private key. If validation of the JSON token succeeds, API Gateway extracts the unique identifying information of the client that are represented as claims, identifies the client, and provides access to the secured API.
If the validation fails, API Gateway returns a specific error response.
Note: If API Gateway has generated the JSON token, it validates the signature using a public certificate that was specified in the JWT configuration. Else, if the HTTP request is sent from a third-party JWT issuer, API Gateway validates the token using a public certificate that was configured for that issuer in Integration Server.
The following diagram illustrates how API Gateway participates in the JWT workflow.
JSON Web Token Flow