This Policy implements the following checks on a JSON Web Token contained in Authorization or X-Authorization header of HTTP request:
- Issuer
- Audience
- Scope
- Expiration
- Signature
If these checks are violated, a 401 response is given and the request is discarded.
OAuth 2.0 JWS(JWT)
- To be applied to a protected resource
- Token based on rfc7519
This policy does not support opaque bearer (by reference) token, as this policy verifies the JWToken based on the signature rather than an introspection/validation endpoint.
Policy supports these algorithms for digital signature verification:
- HmacSHA256, HmacSHA384 and HmacSHA512
- SHA256withRSA, SHA384withRSA and SHA512withRSA
- HmacSHA256, HmacSHA384 and HmacSHA512
- Azure AD
- V1 endpoints
- jwt.io (For testing)
- Crowd Nov 2017 Release
- Mule 3.9.0
HTTP Authorization or X-Authorization header must have following form:
Bearer <jwt>
like this example:
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
The policy configuration contains several input parameters:
Use if you want to obtain the secret or public key from a JWKS Service. The following parameter are required to configure the key service:
- keys_host -
- keys_base_path -
- keys_port -
Keys will be cached, the following configure are required to configure the cache:
- cache_entries -
- cache_ttl -
- cache_interval -
- Secret - specifies a secret (in case of HmacSHA algorithms) or a public key (SHAwithRSA algorithms) for JWT digital signature algorithm.
- set to null if the key should be returned from JWKS service.
- A JWT token can be signed with any of the supported algorithms.
- A public key is inserted without BEGIN and END parts, i.e.:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArLrCUilXj+ggjh/kq/EhEsAXWhyF511k
tdddFxuOts6ZEcq9u9OP1WnXO14qvZwsd4RBJ3RVm9bMQQzlproMlhkjihsz4ETQS8Ko3e3N0j6+
is+jwX5hOVRu7WrD+iqE8AcoNtkTf8YwntHqWGMxzQSl57VQ7NSf4a/VSSBKW3oZy0tYQMZECZow
aLlfjgPibrw9TGwYPceF0e203HuF9fSfqvlGSrr8QPDmwT3Tvp96yF3nwTDiTGdL1YTSUI8SFjzF
STNVCTKc9P0e9MMdE28nZL9NDPWmi/DnYs6t32uolMc2erEd5OjSQ7Rry58Jt6IaURC93xuN9wir
mxp8UQIDAQAB
- Issuer - defines an issuer of JSON Web Token
- Audience - expected audience of JSON Web Token.
- Set to null if you want to skip aud check.
- provide multiple audiences as a comma separated list.
- Scope - scopes to be present in the JWT .
- Set to null if you want to skip scp check.
- provide multiple scopes as a comma separated list.
Note: Tests need to be updated and are failing.