This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

The VerifyJWT policy verifies a signed JWT or decrypts and verifies an encrypted JWT received from clients or other systems. This policy also extracts the claims into context variables so that subsequent policies or conditions can examine those values to make authorization or routing decisions. SeeJWS and JWT policies overview for a detailed introduction.

When this policy executes, in the case of a signed JWT, Apigee verifies the signature of the JWT using the provided verification key. In the case of an encrypted JWT, Apigee decrypts the JWT using the decryption key. In either case, Apigee subsequently verifies that the JWT is valid according to the expiry and not-before times if they are present. The policy can optionally also verify the values of specific claims on the JWT, such as the subject, the issuer, the audience, or the value of additional claims.

• If you use the<Algorithm> element, the policyverifies a signed JWT.
• If you use the<Algorithms> element, the policyverifies an encrypted JWT.

This policy is aStandard policy and can be deployed to any environment type. For information on policy types and availability with each environment type, seePolicy types.

To learn about the parts of a JWT and how they are encrypted and signed, refer toRFC7519.

Verify a Signed JWT

This section explains how to verify a signed JWT. For a signed JWT, use the<Algorithm> element to specify the algorithm for signing the key.

Samples for a signed JWT

The following samples illustrate how to verify a signed JWT.

<VerifyJWT name="JWT-Verify-HS256">    <DisplayName>JWT Verify HS256</DisplayName>    <Algorithm>HS256</Algorithm>    <Source>request.formparam.jwt</Source>    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>    <SecretKey encoding="base64">        <Value ref="private.secretkey"/>    </SecretKey>    <Subject>monty-pythons-flying-circus</Subject>    <Issuer>urn://apigee-edge-JWT-policy-test</Issuer>    <Audience>fans</Audience>    <AdditionalClaims>        <Claim name="show">And now for something completely different.</Claim>    </AdditionalClaims></VerifyJWT>

<VerifyJWT name="JWT-Verify-RS256">    <Algorithm>RS256</Algorithm>    <Source>request.formparam.jwt</Source>    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>    <PublicKey>        <Value ref="public.publickey"/>    </PublicKey>    <Subject>apigee-seattle-hatrack-montage</Subject>    <Issuer>urn://apigee-edge-JWT-policy-test</Issuer>    <Audience>urn://c60511c0-12a2-473c-80fd-42528eb65a6a</Audience>    <AdditionalClaims>        <Claim name="show">And now for something completely different.</Claim>    </AdditionalClaims></VerifyJWT>

{  "typ" : "JWT",  "alg" : "RS256"}

{  "sub" : "apigee-seattle-hatrack-montage",  "iss" : "urn://apigee-edge-JWT-policy-test",  "aud" : "urn://c60511c0-12a2-473c-80fd-42528eb65a6a",  "show": "And now for something completely different."}

{  "sub" : "monty-pythons-flying-circus",  "iss" : "urn://apigee-edge-JWT-policy-test",  "aud" : "urn://c60511c0-12a2-473c-80fd-42528eb65a6a",  "show": "And now for something completely different."}

The samples above use the<Algorithm> element, so they verify a signedJWT. The<PrivateKey> element specifies the key used to sign the JWT. Thereare other key elements as well. Which one you use depends on the algorithm specified by thevalue of<Algorithm>, as described in the next section.

Setting the key elements to verify a signed JWT

The following elements specify the key used to verify a signed JWT:

• <SecretKey>
• <PublicKey>

Which element you use depends on the chosen algorithm, as shown in the following table:

<SecretKey encoding="base16|hex|base64|base64url">  <Value ref="private.secretkey"/></SecretKey>

<PublicKey>  <Value ref="rsa_public_key_or_value"/></PublicKey>

<PublicKey>  <Certificate ref="signed_cert_val_ref"/></PublicKey>

<PublicKey>  <JWKS ref="jwks_val_or_ref"/></PublicKey>

This section explains how to verify an encrypted JWT. For an encrypted JWT, use the<Algorithms> element to specify the algorithms for signing the key and content.

Sample for an encrypted JWT

The following sample shows how to verify an encrypted JWT (with<Type> set toEncrypted), in which:

• The key is encrypted with the RSA-OAEP-256 algorithm.
• The content is encrypted with the A128GCM algorithm.

<VerifyJWTname="vjwt-1"><Algorithms><Key>RSA-OAEP-256</Key><Content>A128GCM</Content></Algorithms><Type>Encrypted</Type><PrivateKey><Valueref="private.rsa_privatekey"/></PrivateKey><Subject>subject@example.com</Subject><Issuer>urn://apigee</Issuer><AdditionalHeaders><Claimname="moniker">Harvey</Claim></AdditionalHeaders><TimeAllowance>30s</TimeAllowance><Source>input_var</Source></VerifyJWT>

The sample above uses the<Algorithms> element, so it verifies an encryptedJWT. The<PrivateKey> element specifies the key that will be used to decrypt the JWT. Thereare other key elements as well. Which one you use depends on the algorithm specified by thevalue of<Algorithms>, as described in the next section.

Setting the key elements to verify an encrypted JWT

The following elements specify the key used to verify an encrypted JWT:

• <PrivateKey>
• <SecretKey>
• <PasswordKey>
• <DirectKey>

Which element you use depends on the chosenkey encyryption algorithm, as shown in the following table:

<PrivateKey>  <Value ref="private.rsa_privatekey"/></PrivateKey>

<PrivateKey>  <Value ref="private.ec_privatekey"/></PrivateKey>

<SecretKeyencoding="base16|hex|base64|base64url"><Valueref="private.flow-variable-name-here"/></SecretKey>

<PasswordKey>  <Value ref="private.password-key"/>  <SaltLength>  <PBKDF2Iterations></PasswordKey>

<DirectKey>  <Value encoding="base16|hex|base64|base64url" ref="private.directkey"/></DirectKey>

For more on the key requirements, seeAbout signature encryption algorithms.

Element reference

The policy reference describes the elements and attributes of the Verify JWT policy.

Note: Configuration will differ somewhat depending on the encryption algorithm you use. Refer to theSamples for examples that demonstrate configurations for specific use cases.

Attributes that apply to the top-level element

<VerifyJWT name="JWT" continueOnError="false" enabled="true" async="false">

The following attributes are common to all policy parent elements.

<DisplayName>

<DisplayName>Policy Display Name</DisplayName>

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<Algorithm>

<Algorithm>HS256</Algorithm>

Specifies the cryptographic algorithm used to verify the token. Use the<Algorithm> element to verify a signed JWT.

RS*/PS*/ES* algorithms employ a public/secret key pair, while HS* algorithms employ a shared secret. See also About signature encryption algorithms.

<Algorithms>    <Key>key-algorithm</Key>    <Content>content-algorithm</Content></Algorithm>

  <Algorithms>    <Key>RSA-OAEP-256</Key>    <Content>A128GCM</Content>  </Algorithms>

  <Algorithms>    <Key>RSA-OAEP-256</Key>  </Algorithms>

<Audience>audience-here</Audience>or:<Audienceref='variable-name-here'/>

<AdditionalClaims/Claim>

<AdditionalClaims><Claimname='claim1'>explicit-value-of-claim-here</Claim><Claimname='claim2'ref='variable-name-here'/><Claimname='claim3'ref='variable-name-here'type='boolean'/></AdditionalClaims>or:<AdditionalClaimsref='claim_payload'/>

Validates that the JWT payload contains the specified additional claim(s) and that the asserted claim values match.

An additional claim uses a name that is not one of the standard, registered JWT claim names. The value of a additional claim can be a string, a number, a boolean, a map, or an array. A map is simply a set of name/value pairs. The value for a claim of any of these types can be specified explicitly in the policy configuration, or indirectly via a reference to a flow variable.

The<Claim> element takes these attributes:

• name - (Required) The name of the claim.Note: Do not use any of the registered claim names in this element. The registered claims are specified inRFC7519. They include: "iss", "sub", "aud", "iat", "exp", "nbf", and "jti".
• ref - (Optional) The name of a flow variable. If present, the policy will use the value of this variable as the claim. If both aref attribute and an explicit claim value are specified, the explicit value is the default, and is used if the referenced flow variable is unresolved.
• type - (Optional) One of: string (default), number, boolean, or map
• array - (Optional) Set totrue to indicate if the value is an array of types. Default: false.

When you include the<Claim> element, the claim names are set statically when you configure the policy. Alternatively, you can pass a JSON object to specify the claim names. Because the JSON object is passed as a variable, the claim names are determined at runtime.

For example:

<AdditionalClaims ref='json_claims'/>

Where the variablejson_claims contains a JSON object in the form:

{"sub":"person@example.com","iss":"urn://secure-issuer@example.com","non-registered-claim":{"This-is-a-thing":817,"https://example.com/foobar":{"p":42,"q":false}}}

<AdditionalHeaders/Claim>

<AdditionalHeaders><Claimname='claim1'>explicit-value-of-claim-here</Claim><Claimname='claim2'ref='variable-name-here'/><Claimname='claim3'ref='variable-name-here'type='boolean'/><Claimname='claim4'ref='variable-name'type='string'array='true'/></AdditionalHeaders>

Validates that the JWT header contains the specified additional claim name/value pair(s) and that the asserted claim values match.

An additionl claim uses a name that is not one of the standard, registered JWT claim names. The value of an additional claim can be a string, a number, a boolean, a map, or an array. A map is simply a set of name/value pairs. The value for a claim of any of these types can be specified explicitly in the policy configuration, or indirectly via a reference to a flow variable.

The<Claim> element takes these attributes:

• name - (Required) The name of the claim.Note: Do not use any of the registered claim names in this element. The registered claims are specified inRFC7519. They include: "iss", "sub", "aud", "iat", "exp", "nbf", and "jti".
• ref - (Optional) The name of a flow variable. If present, the policy will use the value of this variable as the claim. If both aref attribute and an explicit claim value are specified, the explicit value is the default, and is used if the referenced flow variable is unresolved.
• type - (Optional) One of: string (default), number, boolean, or map
• array - (Optional) Set totrue to indicate if the value is an array of types. Default: false.

<CustomClaims>

Note: Currently, a CustomClaims element is inserted when you add a new GenerateJWT policy through the UI. This element is not functional and is ignored. The correct element to use instead is<AdditionalClaims>. The UI will be updated to insert the correct elements at a later time.

<Id>

<Id>explicit-jti-value-here</Id>-or-<Idref='variable-name-here'/>-or-<Id/>

Verifies that the JWT has the specificjti claim. When the text value and ref attribute are both empty, the policy will generate a jti containing a random UUID. The JWT ID (jti) claim is a unique identifier for the JWT. For more information on jti, refer toRFC7519.

<IgnoreCriticalHeaders>

<IgnoreCriticalHeaders>true|false</IgnoreCriticalHeaders>

Set to false if you want the policy to throw an error when any header listed in thecrit header of the JWT is not listed in the<KnownHeaders> element. Set to true to cause the VerifyJWT policy to ignore thecrit header.

One reason to set this element to true is if you are in a testing environment and are not yet ready to handle a failure on a missing header.

<IgnoreIssuedAt>

<IgnoreIssuedAt>true|false</IgnoreIssuedAt>

Set to false (default) if you want the policy to throw an error when a JWT contains aniat (Issued at) claim that specifies a time in the future. Set to true to cause the policy to ignoreiat during verification.

<IgnoreUnresolvedVariables>

<IgnoreUnresolvedVariables>true|false</IgnoreUnresolvedVariables>

Set to false if you want the policy to throw an error when any referenced variable specified in the policy is unresolvable. Set to true to treat any unresolvable variable as an empty string (null).

<Issuer>

<VerifyJWTname='VJWT-29'>...<!--verifythattheissclaimmatchesahard-codedvalue--><Issuer>issuer-string-here</Issuer>or:<!--verifythattheissclaimmatchesthevaluecontainedinavariable--><Issuerref='variable-containing-issuer'/>or:<!--verifyviaavariable;fallbacktoahard-codedvalueifthevariableisempty--><Issuerref='variable-containing-issuer'>fallback-value-here</Issuer>

The policy verifies that the issuer in the JWT (theiss claim) matches the string specified in the configuration element. Theiss claim is one of the registered claims mentioned inIETF RFC 7519.

<KnownHeaders>

<KnownHeaders>a,b,c</KnownHeaders>or:<KnownHeadersref='variable_containing_headers'/>

TheGenerateJWT policy uses the<CriticalHeaders> element to populate thecrit header in a JWT. For example:

{  "typ": "...",  "alg" : "...",  "crit" : [ "a", "b", "c" ],}

The VerifyJWT policy examinescrit header in the JWT, if it exists, and for each header listed it checks that the<KnownHeaders> element also lists that header. The<KnownHeaders> element can contain a superset of the items listed incrit. It is only necessary that all the headers listed incrit are listed in the<KnownHeaders> element. Any header that the policy finds incrit that is not also listed in<KnownHeaders> causes the VerifyJWT policy to fail.

You can optionally configure the VerifyJWT policy to ignore thecrit header by setting the<IgnoreCriticalHeaders> element totrue.

<VerifyJWTname='VJWT-62'>...<!--hard-codedlifespanof5minutes--><MaxLifespan>5m</MaxLifespan>or:<!--refertoavariable--><MaxLifespanref='variable-here'/>or:<!--attributetellingthepolicytouseiatratherthannbf--><MaxLifespanuseIssueTime='true'>1h</MaxLifespan>or:<!--useIssueTimeandref,andhard-codedfallbackvalue.--><MaxLifespanuseIssueTime='true'ref='variable-here'>1h</MaxLifespan>...

<PrivateKey>  <Password ref="private.privatekey-password"/></PrivateKey>

<PrivateKey><Valueref="private.variable-name-here"/></PrivateKey>

<PublicKey>  <Certificateref="signed_public.cert"/></PublicKey>-or-<PublicKey>  <Certificate>-----BEGINCERTIFICATE-----certificatedata-----ENDCERTIFICATE-----  </Certificate></PublicKey>

  <PublicKey>    <JWKS …  > … </JWKS>  </PublicKey>

A child of the<PublicKey> element. Specifies a JWKS as a source of public keys. This will be a list of keys following the format described inIETF RFC 7517 - JSON Web Key (JWK).

If the inbound JWT bears a key ID which is present in the JWKS, then the policy will use the correct public key to verify the JWT signature. For details about this feature, see Using a JSON Web Key Set (JWKS) to verify a JWT.

If you fetch the value from a public URL, Apigee caches the JWKS for a period of 300 seconds. When the cache expires, Apigee fetches the JWKS again.

<Value>

<PublicKey>  <Valueref="public.publickeyorcert"/></PublicKey>-or-<PublicKey>  <Value>-----BEGINPUBLICKEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2kPrRzcufvUNHvTH/WW...YOURPUBLICKEYMATERIALHERE....d1lH8MfUyRXmpmnNxJHAC2F73IyNZmkDb/DRW5onclGzxQITBFP3S6JXd4LNESJcTp705ec1cQ9Wp2Kl+nKrKyv1E5XxDQIDAQAB-----ENDPUBLICKEY-----  </Value></PublicKey>

A child of the<PublicKey> element. Specifies the public key to use to verify the signature on a signed JWT. Use theref attribute to pass the key in a flow variable, or specify the PEM-encoded key directly. Make sure to align the public key on the left as shown in the reference example.

<RequiredClaims>

<VerifyJWTname='VJWT-1'>...<!--Directlyspecifythenamesoftheclaimstorequire--><RequiredClaims>sub,iss,exp</RequiredClaims>-or-<!--Specifytheclaimnamesindirectly,viaacontextvariable--><RequiredClaimsref='claims_to_require'/>...</VerifyJWT>

The<RequiredClaims> element is optional. It specifies a comma-separated list of names of claims that must be present in the JWT payload, when verifying a JWT. The element ensures that the presented JWT contains the required claims but does not validate the contents of the claims. If any of the listed claims are not present, the VerifyJWT policy will throw a fault at runtime.

<SecretKey>

<SecretKeyencoding="base16|hex|base64|base64url"><Valueref="private.your-variable-name"/></SecretKey>

The SecretKey element is optional. It specifies the secret key to use when verifying a signed JWT that uses a symmetric (HS*) algorithm or when verifying an encrypted JWT that uses a symmetric (AES) algorithm for key encryption.

Children of<SecretKey>

The following table provides a description of the child elements and attributes of<SecretKey>:

<SecretKeyencoding="hex" >  <Value ref="private.secretkey"/></SecretKey>

<SecretKey><Valueref="private.my-secret-variable"/></SecretKey>

<Source>

<Source>jwt-variable</Source>

If present, specifies the flow variable in which the policy expects to find the JWT to verify.

With this element, you can configure the policy to retrieve the JWT from a form or query parameter variable or any other variable. When this element is present, the policy will not strip anyBearer prefix that may be present. If the variable does not exist or if the policy does not find a JWT in the specified variable, the policy returns an error.

By default, when no<Source> element is present, the policy retrieves the JWT by reading the variablerequest.header.authorization and stripping theBearer prefix. If you pass the JWT in the Authorization header as a bearer token (with theBearer prefix), do not specify the<Source> element in the policy configuration. For example, you would use no<Source> element in the policy configuration if you pass the JWT in the Authorization header like this:

curl -v https://api-endpoint/proxy1_basepath/api1 -H "Authorization: Bearer eyJhbGciOiJ..."

<Subject>

<VerifyJWTname='VJWT-8'>...<!--verifythatthesubclaimmatchesahard-codedvalue--><Subject>subject-string-here</Subject>or:<!--verifythatthesubclaimmatchesthevaluecontainedinavariable--><Subjectref='variable-containing-subject'/>or:<!--verifyviaavariable;fallbacktoahard-codedvalueifthevariableisempty--><Subjectref='variable-containing-subject'>fallback-value-here</Subject>

The policy verifies that the subject in the JWT (thesub claim) matches the string specified in the policy configuration. Thesub claim is one of the registered claims described inRFC7519.

<TimeAllowance>

<VerifyJWTname='VJWT-23'>...<!--configureahard-codedtimeallowanceof20seconds--><TimeAllowance>20s</TimeAllowance>or:<!--refertoavariablecontainingthetimeallowance--><TimeAllowanceref='variable-containing-time-allowance'/>or:<!--refertoavariable;fallbacktoahard-codedvalueifthevariableisempty--><TimeAllowanceref='variable-containing-allowance'>30s</TimeAllowance>

The "grace period" for times, to account for clock skew between the issuer and verifier of a JWT. This will apply to both the expiry (theexp claim) as well as the not-before-time (thenbf claim). For example, if the time allowance is configured to be30s, then an expired JWT would be treated as still valid, for 30 seconds after the asserted expiry. The not-before-time will be evaluated similarly.

<Type>

<Type>type-string-here</Type>

Describes whether the policy verifies a signed JWT or an encrypted JWT. The<Type> element is optional. You can use it to inform readers of the configuration whether the policy generates a signed or an encrypted JWT.

• If the<Type> element is present:
  • If the value of<Type> isSigned, the policy verifies a signed JWT, and the<Algorithm> element must be present.
  • If the value of<Type> isEncrypted, the policy verifies an encrypted JWT, and the<Algorithms> element must be present.
• If the<Type> element is absent:
  • If the<Algorithm> element is present, the policy assumes<Type> isSigned.
  • If the<Algorithms> element is present, the policy assumes<Type> isEncrypted.
• If neither<Algorithm> nor<Algorithms> is present, the configuration is invalid.

Flow variables

Upon success, theVerify JWT andDecode JWT policies set context variables according to this pattern:

jwt.{policy_name}.{variable_name}

For example, if the policy name isjwt-parse-token , then the policy will store the subject specified in the JWT to the context variable namedjwt.jwt-parse-token.decoded.claim.sub. (For backward compatibility, it will also be available injwt.jwt-parse-token.claim.subject)

Error reference

This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, seeWhat you need to know about policy errors andHandling faults.

Runtime errors

These errors can occur when the policy executes.

Deployment errors

These errors can occur when you deploy a proxy containing this policy.

These variables are set when a runtime error occurs. For more information, seeWhat you need to know about policy errors.

Example error response

For error handling, the best practice is to trap theerrorcode part of the error response. Do not rely on the text in thefaultstring, because it could change.

Example fault rule

    <FaultRules>        <FaultRule name="JWT Policy Errors">            <Step>                <Name>JavaScript-1</Name>                <Condition>(fault.name Matches "InvalidToken")</Condition>            </Step>            <Condition>JWT.failed=true</Condition>        </FaultRule>    </FaultRules>