How to validate JWT Token from Azure AD

book

Article ID: 129936

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Hi, In order to protect out APIs from security breaches, we are implementing a pattern where API calls will contain JWT Tokens in the HTTP Header and Layer7 is required to Decode and Authorize it against AZURE AD. Can you please provide assistance by directing us towards any available documentation and helping us set up the environment with proper plugins etc.

Environment

Release:
Component: APIGTW

Resolution

Use  Decode json web token assertion to validate jwt token against  the JWKS from MS discovery url  (https://login.microsoftonline.com/common/discovery/keys)

The policy logic below can be used for keeping the jwks up-to-date,

- At least folder
- \_ All folder
---- \_ lookup jwks in cache, use decode json web token assertion to validate jwt token, etc.
- \_ All folder
---- \_ route via http to jwks url, store to cache, etc.
---- |_ use decode json web token assertion to validate jwt token
- \_ All folder
---- \_ error handling for invalid jwt token

 

Note: for jwks, it needs "kid" to find the correct public key in the key set, the kid will need to be extracted from the jwt -- use another Decode json web token assertion with "None" validation method to extract jwt header and then use json path to get the "kid" from jwt header. Product document has the sample code,
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/policy-manager-other-security/working-with-json-web-tokens.html
(start from line 32 in the screenshot of the sample policy)

 

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/policy-manager-other-security/working-with-json-web-tokens.html