Skip to main content
Skip table of contents

JWT

The JWT Policy helps you to validate JSON Web Tokens (JWT) by providing a signing key or a JSON Web Key Set (JWK(S)). You can also require claims and strip them to forward them as header to the backend API.

If you are using the JWT or Keycloak OAuth policy, an authentication dialog is shown in the API Developer Portal that you need to use to consume the API. To support you during testing, API Management provides the default user token, if you leave the authentication dialog empty. If you make your own entries in the dialog, these are used in preference to the default. Refer to Testing APIs for details.

Configuration Options

jwt_configuration.png

Basic Configuration

Option

Description

Possible Values

Default

Signing Key or URL to a JWK(S)

Specify a Base-64 encoded signing key or a URL to a JWK(S) to validate JWT.

Self-signed certificates are currently not supported.

  • a Base-64 encoded string or

  • a URL to a JWK(S)

FQDN path automatically set for your PAS installation

Key ID (kid) of JWK(S)

Specify the key id of the JWK(S) in this field if you provided a JWK(S) URL.
If no value is provided, the policy tries to look up the key ID from the token header and tries to fetch the corresponding certificate from the configured JWKS endpoint.

a valid string

-

Required Claims

All standard claims, custom claims and ID token fields are available (case sensitive). A special value of access_token will forward the entire encoded token. Nested claims can be accessed by using the JavaScript dot syntax (e.g: address.country, address.formatted).

Option

Description

Possible Values

Default

Claim

Specify a list of required claims. If a required claim is not present, access will be rejected.

a string

-

Value

Determines the content of the claim.

a string

-

Click Add to create more rows in the table. Click Delete to remove selected rows.

Forward Claim Information

Fields from the JWT can be set as headers and forwarded to the API. All standard claims, custom claims and ID token fields are available (case sensitive). A special value of access_token will forward the entire encoded token. Nested claims can be accessed by using the JavaScript dot syntax (e.g: address.country, address.formatted).

Option

Description

Possible Values

Default

Field

Specify a list of fields from the JWT to be forwarded to the API as a header.

a string

-

Header

Holds the value of the Field.

a string

-

Click Add to create more rows in the table. Click Delete to remove selected rows.

Advanced Configuration

Option

Description

Possible Values

Default

Require Signed JWT (JWS)

Specify whether JWTs must be cryptographically signed and verified (JWS).

It is stongly recommended to enable this option.

  • enabled

  • disabled

enabled

Strip Tokens

Enable if the Authorization header or token query parameter should be removed before forwarding traffic to the API.

  • enabled

  • disabled

disabled

Maximum Clock Skew

Specify the maximum allowed clock skew in seconds when validating exp (expiry) and nbf (not before) claims. 0 implies default behavior.

a valid integer

0

Related Pages:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close