DEV Community

Aditya Singh
Aditya Singh

Posted on

[Part 2/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Hello Tech Enthusiasts,

Please refer to the previous article, Part 1, to understand how we generate and upload certificates in IBM API Connect.

This article continues focusses on the generation of JWT tokens using the APIC v10 jwt-generate policy.

  • Login to APIC Manager console and go to develop tab. Create new API using OpenAPI 2.0. You can use OpenAPI 3.0 as well as jwt-generate policy remains the same.
  • Give the Title as ‘JWT Generation and Validation’ and base path ‘/securetoken’. Select next and create the API
  • Delete the blank path and create following path with ‘get’ Operations. I’m using get here, but it may vary according to your requirement. For now, I’m keeping it simple.

API Manager Design Tab

  • Navigate to the Gateway tab and drag the operation-switch into the assembly section.
  • Construct two cases based on the operations as follows

assembly-operation-switch

  • For generate part, drag the jwt-generate in the assembly section and fill the forms as following:
  1. Empty the JSON Web Token as we prefer the response to be sent tin Authorization header.
  2. Issuer Claim: request.headers.iss-claim
  3. Audience Claim: request.headers.aud-claim
  4. Reduce the validity period to 60seconds to facilitate the testing of both successful and failure scenarios easily.
  5. Cryptographic Algorithm: RS256
  6. Sign Crypto Object: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-key

apic-jwt-generate

  • Click Save and Publish the API.

For simplicity, I’m only using X-IBM-Client-Id as client validation. Let’s generate JWT token now

Postman Generate JWT

When using Postman, consider automating the token process with JavaScript instead of copying and pasting the token manually.

Select the Request in Postman and go to Scripts tab. Add following JavaScript to the ‘post-response section’

let access_token = pm.response.headers.get("Authorization");
pm.globals.set("jwt_token", access_token);
Enter fullscreen mode Exit fullscreen mode

Let’s move to now Part 3 of validation of above generated token.

Top comments (0)