Post

[Part 2/3] Securing APIs using JSON Web Token (JWT) in IBM API-Connect v10 using X.509 RSA key pair

Posted Updated
Preview Image
By Aditya Singh
1 min read

Hello Tech Enthusiasts 👋,

Please refer to the previous article, Part 1, to understand how we generate and upload certificates in IBM API Connect.

This article continues focusses on the generation of JWT tokens using the APIC v10 jwt-generate policy.

The sequence design that would be followed :

APIC JWT Generate & Validate

1). Logon to APIC Manager console and go to develop tab. Create new API using OpenAPI 2.0. You can use OpenAPI 3.0 as well as jwt-generate policy remains the same.

2). Give the Title as ‘JWT Generation and Validation’ and base path ‘/securetoken’. Select next and create the API

3). Delete the blank path and create following path with ‘get’ Operations. I’m using get here, but it may vary according to your requirement. For now, I’m keeping it simple.

API Manager Design Tab API Manager Design Tab

4). Navigate to the Gateway tab and drag the operation-switch into the assembly section.

5). Construct two cases based on the operations as follows

assembly-operation-switch assembly-operation-switch

6). Actual numbers don’t matter, just that it’s a number

7). For generate part, drag the jwt-generate in the assembly section and fill the forms as following:

  • Empty the JSON Web Token as we prefer the response to be sent tin Authorization header.
  • Issuer Claim: request.headers.iss-claim
  • Audience Claim: request.headers.aud-claim
  • Reduce the validity period to 60seconds to facilitate the testing of both successful and failure scenarios easily.
  • Cryptographic Algorithm: RS256
  • Sign Crypto Object: personal_sandbox_tlsp-jwt-keyprofileV1.0.0-key

apic-jwt-generate-policy apic-jwt-generate-policy

  • Click Save and Publish the API.

For simplicity, I’m only using X-IBM-Client-Id as client validation. Let’s generate JWT token now

Postman Generate JWT Postman Generate JWT

When using Postman, consider automating the token process with JavaScript instead of copying and pasting the token manually.

Select the Request in Postman and go to Scripts tab. Add following JavaScript to the ‘post-response section’

1
2

let access_token = pm.response.headers.get("Authorization");
pm.globals.set("jwt_token", access_token);

Let’s move to now Part 3 of validation of above generated token.

— Keep Learning 😊

— Aditya Singh

If this article helped you in someway and want to support me, you can …

IBM, IBM API Connect
IBM API Connect DataPower JWT
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.

Buy Me A Coffee