JWT Verify

Overview

You can use the JWT Verify filter to verify signed JWTs.

Upon successful verification, the filter removes the headers and signature of the incoming signed JWT and outputs the originally signed JWS payload. For example, when you verify the following JWS Payload :

eyJhbGciOiJSUzI1NiJ9

.

eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt

cGxlLmNvbS9pc19yb290Ijp0cnVlfQ

.

cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7

AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4

BAynRFdiuB—f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K

0GarZRmB_eSN9383LcOLn6_dO—xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv

hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB

p0igcN_IoypGlUPQGe77Rw

The output is:

{“iss“:“joe“,

„exp“:1300819380,

„http://example.com/is_root“:true}

Note   The JWT Verify filter automatically detects whether the input JWT is signed with HMAC or asymmetric key and uses the corresponding settings. For example, you can configure the verification with HMAC and certificate; although, the filter uses the former or latter depending on the type of JWS it receives as input.

General settings

Configure the following fields on the JWT Verify window:

Name:

Enter an appropriate name for the filter to display in a policy.

Token location:

Enter the selector expression to retrieve the JWS token to be verified.

Verification using RSA/EC public keys

Optionally, configure the following fields Verify using RSA/EC public key section:

X509 certificate:

Select the certificate from the certificate store that is used to verify the payload.

Selector expression:

Alternatively, enter a selector expression to retrieve the alias of the certificate in the certificate store.

Verification using symmetric key details

Optionally, configure the following fields in the Verify using symmetric key section:

None.

Select if you do not want to verify tokens signed with HMAC.

Shared key:

Enter the shared key that was used to sign the payload. The key should be given as a base64-encoded byte array.

Selector expression:

Alternatively, enter a selector expression to obtain the shared key. The value returned by the selector should contain:

  • Byte array (possibly produced by a different filter)
  • Base64-encoded byte array

JWK from external source:

Optionally, enter a selector expression to retrieve a JSON Web Key that can be used to verify signed tokens. The JWKs can be retrieved with the Connect to URL filter.

Related Links