JWT handling with WSO2-AM

2
votes

we plan to introduce an API management solution and we're currently setting up a proof of concept with WSO2 AM. We want to use the WSO2 API gateway to check whether a certain consumer application is allowed to use an API and to throttle the request rate. I work on the identity workflow and I wonder how a consuming application can pass a JWT token to the backend service with WSO2-AM in between.

First, this is our current scenario:

Without API gateway

  1. The consuming application gets a JWT token for its carbon user from an identity provider. The JWT contains some claims about the user, e.g. the roles he/she belongs to.
  2. The app calls the service an passes the JWT token in the Authorization HTTP header like: Authorization: Bearer
  3. The service validates the issuer and signature of the JWT and retrieves the claims from it.

So, this is pretty straight forward. Now we put an API gateway in between the application and the service:

With API gateway

  1. The consuming application gets a JWT token for its carbon user from an identity provider.
  2. The consuming application uses OAuth2 to get an access token for the following API calls. We can use the client_credentials grant type and simply pass the the client id and client secret. I haven't yet tried it, but we could possibly use the JWT grant type (see https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type) and use the JWT for passing user information to the API gateway.
  3. The API gateway validates the JWT against the public key of the identity provider when using the JWT grant type.
  4. An access token is returned to the app.
  5. The app sends an API request to the gateway and passes the access token in the Authorization HTTP header.
  6. The gateway validates the access token.
  7. The gateway forwards the API request to the service.

And there is my problem: How can the JWT from 1/2. be passed to the service?

There is a documentation for "Passing Enduser Attributes to the Backend Using JWT" (see https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT), but this would introduce a new JWT, issued and signed by WSO2-AM, and I'm not sure, whether this JWT contains all information from the JWT used to create the access token (or even the original JWT).

Another way I could think of is using a custom HTTP header for passing the JWT through the gateway to the service. I cannot use the Authorization header (as we do without the API gateway), because WSO2-AM expects the access token in that header.

Since I'm not happy with either solutions, I want to ask the experts: How would you solve this?

Thanks, Torsten

1
apioauthwso2jwtwso2-am
A month later it would be interesting to know how you finally solved it :-)Dennis Kieselhorst
I know it has been a log but how did you solve it? I know it is possible to pass jwt to backend following the link you have posted but how about user roles? I'd like to get it from JWT claim in a SpringBoot microservice.Emilio Numazaki

1 Answers

2
votes

The only possibility I can think of is to send the JWT token in a custom Header for the backend service.