How does the generate-jwt policy work in API Connect?

Question

How does the generate-jwt policy work in API Connect? Does it invoke a authorization server in back end to generate the JWT? For example in real life scenarios, we have a authorization server which validates the user credentials and gives back the JWT which is n used in subsequent calls. But here i don't see any authorization server is needed we simply mention the claims the encryption algorithms and it gives back a JWT. Correct me if I am wrong.

Another related question:

I believe there are three possible ways to mention the secret to sign the JWT:

Private/Public key pair (RSA)
JWK
Shared Secret Key

How is the Shared Secret Key implemented in API Connect.

NOTE: I need to invoke a system which is exposed using JWT.

score 1 · Accepted Answer · answered Mar 13 '18 at 21:17

1

This policy does not invoke any authorization server. It only generates a JWT token, based on the input params that you provide. That authorization process should happen before the JWT generation.

The shared secret key in the policy can be provided in two ways:

a JWK: defining a variable with the JWK information
a Crypto Object: defined in datapower and referenced in the jwt policy

answered Mar 13 '18 at 21:17

Álvaro Pérez Soria

1,443
1
13
26

So according to your answer if an user has only access to IBM Cloud and not IBM Datapower Gateway, the only option is signing by JWK. Is my understanding correct? – Shepherd Mar 14 '18 at 06:36
If you can't create a Crypto Shared Secret Key in Data Power, then you are correct – Álvaro Pérez Soria Mar 14 '18 at 20:24

How does the generate-jwt policy work in API Connect?

1 Answers1