Configure JWT validation
JSON web token (JWT) validation maximizes identity provider offload and lets you authorize users who send requests to your API. You can enable protection for the entire API, choose specific JWT reserved claims that you want to verify at the edge, and exempt individual resources from requiring validation.
- On the API Definitions page, in the Registered APIs section, click the ellipsis icon () associated with the API configuration you want to configure JWT validation settings for.
- From the menu, select Manage versions.
- In the Version history panel, click the ellipsis icon () associated with the API configuration version you want to configure JWT validation settings for.
- From the list of delivery options, select JSON web tokens (JWT).
On the JSON web tokens (JWT)
settings page, set the Enable JWT switch to
By setting this switch to Yes for the first time, you enable JWT validation for all resources associated with your API.
- From the JWT location menu, select the location for the JWT in the HTTP request.
In the location name
field, enter a name for the JWT location.
where location is either Header, Cookie, or Query parameter.
Do one of these steps:
If... Then... If you want to upload RSA public keys manually, do these steps:
- In the Public key format area, select RSA public key.
- In the Primary RSA public key area, click Choose file and upload the primary RSA public key for the JWT signature verification.
- Optionally in the Backup RSA public key area, click Choose file and upload the backup RSA public key for use during key rotations.
If you want to use JSON web key sets (JWKSs) for a dynamic RSA public key upload, do these steps:
- In the Public key format area, select JWKS URI.
- In the Certificate chain
area, click Choose
file and upload a certificate chain to authenticate the hostnames in
with. Note that the certificate chain must exclude the leaf node. This will
facilitate the renewal of the certificate corresponding to the hostname.
A certificate chain is a list of certificates that allows edge servers to authenticate your hostnames and verify that a secure connection can be established. Edge servers authenticate the hostnames by verifying the Common Name (CN) of your origin SSL certificate. You should include a valid certificate chain in a PEM file and upload it here. The file should start with "----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
- In the JWK set URL area, specify a URL that refers to a resource for a set of JSON-encoded public keys.
- In the Allowed JWKS URLs text box, enter up to 50 URLs
where JWKSs reside.Note: If your hostname uses a different port for secure connections than the default 443, you can indicate it after a colon. For example: bookstore.api.com:8443
Whenever you update JSON web key sets, make sure to send a purge request with your old JWKS URI via the Fast Purge feature (a sample JWKS URI may look like this: https://bookstore.api.com/.well-known/jwks.json). This will prevent tokens with old signatures from retaining access to your API content. For details on Fast Purge, see the Fast Purge web help.
- Click the Validate button to validate the API Gateway connectivity to the JWKS URL. If the connection is successful, the Validate button is displayed with a green checkmark.
- In the Public key max age
field, enter the maximum time for caching a public key.Note: You can specify this parameter in seconds, minutes, hours, or days. In each case, the value must be between 1 and 1000000.
Keeping a public key in edge servers' cache negates the need to search for the public key in subsequent requests of a particular JWT issuer. This in turn reduces the time needed to validate the JWT.
In the Clock skew amount (0-60
seconds) field, enter a value between 0 and 60.
Clock skew amount specifies the allowed time difference (in seconds) between the server and client clocks when validating the exp and nbf claims. The recommended default value is 5.
- Optional: Configure JWT claims.
If you want to validate only particular
resources, specify them in the Enable JWT validation for resources section by setting their corresponding
switches to Yes.
If you decide to reset JWT settings for all resources to the API level at any point, you can click Reset to API settings. You can also control which individual resources inherit the top-level settings by selecting their Inherit check boxes.
- Click Save.