JWT Validator rule
- The policy checks if the JWT token is valid.
- If valid, the policy processes the request.
- If invalid, the policy discards the request.
Policy execution order
This JWT Validator policy executes after the request has been authorized.
Limitations
This rule only support RSA, HSA, and ECDSA signed keys.
| Field Name | Description |
|---|---|
| When this rule should be applied | An expression that defines one or more conditions that must be
true for the rule to execute.
Example: The expression |
| Key Input Format | Select one of the following two options:
Note: The option you select determines the subsequent fields. Default value: RAW_TEXT |
| Key |
When RAW_TEXT is selected, this field displays. Paste the contents of the public key, which can be a PEM Encoded key or a JSON Web Key (JWK) or a Client Secret. Default value: N/A Example:
|
| URL |
When URL is selected, this field displays. Enter the URL endpoint or click = to enter an expression to obtain the key. Default value: N/A Example: https://login.microsoftonline.com/%3Ctenant%3E/discovery/v2.0/keys |
| Extract Keys from URL | Specifies where to store the extracted token. Note: This policy only supports a list of JWK Keys or one JWK key and verifies against the kid field in the JWT header to support URL. If you pass in a list of keys, then only the key whose kid matches with that of the JWT Header’s kid is used for verification.Default value: Expression enabled Example: $keys |
| Extract into $token | Required. Specifies the location to find the key in the request. If one of the given locations is not found, this rule passes the request through to the next rule. |
| Custom Header Keys | The names of the headers. If more than one header is given, they will all be checked. Click + to add more custom header keys. Default value: N/A Example: x-api-key |
| Key | The name of the custom header key. Default value: N/A Example: $.aud |
| Custom Query String Parameter Keys | The names of the query parameters. If more than one name is given, they will all be checked. Click + to add more custom query string parameters. Default value: N/A Example: N/A |
| Key | The name of the custom query string parameter. Default value: N/A Example: $.aud |
| Custom Cookie Key | The names of the cookies. You can add more than one cookie. Click + to add more custom cookies. Tip: The value input in the Cookie is to be replaced with the access token while using Postman or any other tool. Default value: N/A Example: N/A |
| Key | The name of the Custom Cookie Key. Default value: N/A Example: Key2 |
| Authorization Header Type | If the key is in the Authorization header, this value is used as the “type” to check. Default value: Bearer Example: Bearer |
| Extract User Info | Required. Specifies how to extract information about the user from the working object. Default value: N/A Example: Bearer |
| User ID Expression | Required. An expression returning the user ID. Default value: N/A Example: $qty |
| Roles Expression | Required. An expression returning the roles for the user. Default value: N/A Example: $aud |
| Status | Indicates whether the rule is enabled or disabled. Default value: Enabled Example: Disabled |