Page History

...

Element Description Default Value

<EnableTokenGeneration>

Set this value to true to enable JWT. Note that if you publish APIs before JWT is enabled, you have to republish them.

false

<SecurityContextHeader/> The name of the HTTP header to which the JWT is attached. X-JWT-Assertion

<ClaimsRetrieverImplClass/>

By default, the <ClaimsRetrieverImplClass> parameter is commented out in the api-manager.xml file. Enable it to add all user claims in the JWT token:

Code Block

language	xml

<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>

By default, the following are encoded to the JWT:

subscriber name
application name
API context
API version
authorized resource owner name

In addition, you can also write your own class by extending the interface org.wso2.carbon.apimgt.impl.token.ClaimsRetriever and implementing the following methods of the interface:

Method Description

void init() throws APIManagementException;

Used to perform initialization tasks. Is executed once, right before the very first request.

SortedMap<String,String> getClaims(String endUserName) throws APIManagementException;

Returns a sorted map of claims. The key of the map indicates the user attribute name and the value indicates the corresponding user attribute value. The order in which these keys and values are encoded depends on the ordering defined by the sorted map.

String getDialectURI(String endUserName);

The dialect URI to which the attribute names returned by the getClaims() method are appended to. For example,
if the getClaims method returns {email:user1@wso2.com, gender:male} and the getDialectURI() returns http://wso2.org/claims , the JWT will contain "http://wso2.org/claims/gender":"male","http://wso2.org/claims/email":"user1@wso2.com" as part of the body.

The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI http://wso2.org/claims and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes.

org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever

<ConsumerDialectURI/>

The dialect URI under which the user's claims are be looked for. Only works with the default value of <ClaimsRetrieverImplClass> element defined above.

The JWT token contains all claims define in the <ConsumerDialectURI> element. The default value of this element is http://wso2.org/claims . To get a list of users to be included in the JWT, simply uncomment this element after enabling the JWT. It will include all claims in http://wso2.org/claims to the JWT token.

Excerpt

hidden	true

Taken from the shared space: http://docs.wso2.org/display/FAQ/APIM+Common#APIMCommon-HowtogetarolelistofuserstobeincludedintheJWT

http://wso2.org/claims

<SignatureAlgorithm/>

The signing algorithm used to sign the JWT. The general format of the JWT is {token infor}.{claims list}.{signature}. When NONE is specified as the algorithm, signing is turned off and the JWT looks as {token infor}.{claims list} with two strings delimited by a period and a period at the end.

This element can have only two values- the default value, which is SHA256WITHRSA or NONE.

SHA256WITHRSA

Tip

You can use TCPMon or API Gateway debug logs to capture JWT token header withenduser details. To enable gateway DEBUG logs for wire messages,

Go to the <APIM_GATEWAY>/repository/conf directory and open the log4j.properties file with a text editor.
Edit the entries for the two loggers as follows:
#log4j.logger.org.apache.synapse.transport.http.headers=DEBUG
#log4j.logger.org.apache.synapse.transport.http.wire=DEBUG

Customizing the JWT generation

...

Versions Compared

Old Version 5

New Version Current

Key

Customizing the JWT generation