This documentation is for WSO2 API Manager 1.4.0 View documentation for the latest release.
Generating JSON Web Token (JWT) - API Manager 1.4.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

Given below is the configuration related to API Manager JWT generation found in <APIM_HOME>/repository/conf/api-manager.xml file.

<APIConsumerAuthentication>
    <SecurityContextHeader>X-JWT-Assertion</SecurityContextHeader>
    <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
    <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
    <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
    <EnableTokenGeneration>true</EnableTokenGeneration>
</APIConsumerAuthentication>

Let's take a look at each parameter in the XML file in detail.

EnableTokenGeneration

XML Syntax<EnableTokenGeneration/>  
DescriptionUsed to enable or disable JWT generation.
TypeBoolean
Default Valuefalse
Fixed Valuestrue/false
Mandatory/OptionalOptional

SecurityContextHeader

XML Syntax<SecurityContextHeader/>  
DescriptionThis is the name of the HTTP header to which the JWT is attached.
TypeString
Default ValueX-JWT-Assertion
Fixed ValuesN/A
Mandatory/OptionalOptional

ClaimsRetrieverImplClass

XML Syntax

<ClaimsRetrieverImplClass/>

Description

By default, there is a set of values that are encoded to the JWT. They are subscriber name, application name, api context, api version, authorized resource owner name. In addition to these values, an extensible interface is also provided to encode any attribute of the user, required by the JWT. The fully-qualified name of the Interface is: 'org.wso2.carbon.apimgt.impl.token.ClaimsRetriever'. The methods provided in the interface are:

  • void init() throws APIManagementException;

This method is executed once right before the very first request. Any initialization tasks can be performed here.

  • SortedMap<String,String> getClaims(String endUserName) throws APIManagementException;

This method returns a SortedMap of claims. The key of the Map should indicate the 'user attribute name' and the value should indicate the corresponding 'user attribute value'. The order in which these keys and values are encoded depends on the ordering defined by the SortedMap.

  • String getDialectURI(String endUserName);

This is the dialect URI to which the attribute names returned by the getClaims() method are appended to. For example,
if the getClaims method returns {email:user1@wso2.com, gender:male } and the getDialectURI() returns http://wso2.org/claims, the JWT will contain “http://wso2.org/claims/gender”:“user1@wso2.com”,“http://wso2.org/claims/email”:“male” as part of the body.

The default implementation (org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever) returns the user's attributes defined under the dialect URI http://wso2.org/claims and the JWT will also be encoded with the same dialect URI. The order of encoding the user's attributes is the natural order of the attributes. If no value is specified, no additional claims will be encoded, except the 6 default attributes.

TypeString
Default Value

org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever

Fixed ValuesN/A
Mandatory/OptionalOptional

ConsumerDialectURI

XML Syntax<ConsumerDialectURI/>  
DescriptionThis is the dialect URI under which the user's claims will be looked for. This only works with the default value of <ClaimsRetrieverImplClass> element.
TypeString
Default ValueN/A
Fixed ValuesN/A
Mandatory/OptionalOptional

SignatureAlgorithm

XML Syntax<SignatureAlgorithm/>  
Description

The signing algorithm used for signing the JWT. The general form of the JWT is {…...}.{......}.{......} - Three strings delimited by periods.

When NONE is used as the signing algorithm,  the JWT would look as {…..}.{.....} - Two strings delimited by a period and a period at the end.

TypeString
Default ValueSHA256WITHRSA
Fixed Values
  • SHA256WITHRSA
  • NONE - Signing is turned off
Mandatory/OptionalOptional



  • No labels