stackoom
  简体   繁体   中英

How to validate a JWT from WSO2 API Manager

 原文  2014-03-14 15:00:27       validation/ wso2/ jwt/ wso2-am

Question

What is the recommended way for validating that a JWT was issued by a specific API Manager instance in a case where the backend web service lives on a separate server and needs to be certain that a given request passed through the APIM Gateway authentication and authorization mechanisms?

I know that the header fields in the JWT include an 'x5t' field which is an encoded reference to a certificate in the tenant key store, as detailed here:

https://asankastechtalks.wordpress.com/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/

Since the backend web service is on a separate server, do we need to distribute the public key to it somehow? Also, how can we update the certificate that is used to sign the JWT since right now it is using the default?

3 answers

solution1
 1  2015-06-18 19:26:30

The data in the x5t is not the entire certificate, it is only a hash to help you identify if a certificate you have is the same one. This means that you do need to upload the public certificate to the receiving service.

With https the public certificate can be retrieved in the handshake, the client can then check that this certificate is signed by a trusted CA. With this validation however there is no such mechanism, as a result you can't just trust the CA you have to trust each public certificate.

There is another optional header 'x5u' which includes a url link to the public certificate but APIM does not set that value.

solution2
 1  2015-10-30 14:50:52

This is how you can get the certificate from the local store using the x5t hash in the WSO2 token as a lookup: 

// Use JwtSecurityTokenHandler to validate the JWT token
var tokenHandler = new JwtSecurityTokenHandler();

// Read the JWT
var parsedJwt = tokenHandler.ReadToken(token);

// Get X509 public certificate
var signerAlgorithm = ((JwtSecurityToken)parsedJwt).SignatureAlgorithm;
var signerHash = ((JwtSecurityToken)parsedJwt).Header["x5t"];
var thumbprint = Encoding.UTF8.GetString(Convert.FromBase64String(signerHash.ToString()));

X509Store store = new X509Store(StoreName.TrustedPublisher);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)[0];

solution3
 0  2019-01-17 19:47:22

I think you can validate the JWT by importing the certificate in your API manager under identity provider.

Imagine you are using Wso2 IS to generate JWT token, then you need to export the certificate of IS and import it in wso2 api manager.. And you have to verify that the key 'IDTokenIssuerID' is the same in IS and API Manager

i think this post can help you understand : https://medium.com/wso2-learning/how-to-protect-your-apis-with-self-contained-access-token-jwt-using-wso2-api-manager-and-wso2-75673d8a4686

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to validate parameters in WSO2? In WSO2 ESB, How to Get Error Message from validate mediator wso2 API Manager custom validations for API request input fields WSO2 API Manager - Token restrictions 20KPerToken WSO2 API Manager “unable to find valid certification path to requested target {org .wso2.carbon.apimgt.hostobjects.APIProviderHostObject}” wso2 esb validate mediator always says the request is invalid How to validate input on Tag Manager How to validate the user JWT pass over Token is correct How to validate JWT Token using JWKS in Dot Net Core Validate country calling from API
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM