The JOSE Framework is a set of specifications aimed at securing digital content using JSON data structures.

The JOSE Framework includes features such as JWS, JWE, JWT, JWK, and JWA.

Apinizer supports the JOSE Framework specifications, making it easier to use.

The JOSE Validation Policy is used for verifying signed and/or encrypted JSON data sent by the client and performing signature verification and/or decryption operations.

The picture below shows the JOSE Validation:

The fields used for JOSE Validation configuration are shown in the table below.

Field

Description

Description

A description can be given to facilitate the usage and management of the policy.

Target to be Validated/Decrypted

Signature/encryption may be applied to the entire message body, or part of the message's header, parameter, or body. This field is used to indicate where in the message the signature will be verified and/or the encrypted data will be decrypted.

Target Variable

The variable used to indicate where the specific portion of the message is located, is the target.

Identity Client from

Indicates where in the message the client information will be retrieved from the data. The client info can be required for selecting JWKs. Possible values include being specified by the header or body of the signed/encrypted JWT or can be selected with a variable. In most cases, although this data is in the payload, if the JWE is used, the credential is expected to be taken from the header, since information cannot be retrieved without decrypting payload.

JSON Path or Claim Name for Client Identification

It specifies from which claim or JSONPath value the client information will be taken in the header or body. If the expression written in this field begins with $, the expression is treated as JSONPath, otherwise it is treated as claim name.

Accepted Audience List

It is the Audience list that can be included in the incoming JWT/JWE data. If there is any audience information in the incoming data that is outside this list, an error is returned.

Exact Match Claim List

It is the list of claims that can be included in the incoming JWT/JWE data. If there is any claim information in the incoming data that is outside this list, an error is returned.

Required Claim List

It is the list of claims that must be present in the incoming JWT/JWE data. There may be additional claims in the incoming data outside this list, but these specific claims are required to be present, and if any of them is missing, an error is returned.

Prohibited Claim List

It is the list of claims that must not be present in the incoming JWT/JWE data. There may be other claims in the incoming data outside this list, but if any of these specific claims are present, an error is returned.

Decrypt

If the incoming data is encrypted (JWE) and it needs to be decrypted, this option is selected. For this option to appear, "Verify Signature" option must be selected.

Decrypt By Client's JWKIf the encrypted fields in the incoming JWE data need to be decrypted based on the user identity, this option is selected. In this case, it is checked whether the "iss" (issuer) information in the data is among the users in the Apinizer User Identity Pool. If a user is found whose username/API key matches the issuer information, decryption is performed using the Encryption JWK owned by that user. Also, when the data is sent as encrypted, the "iss" (issuer) information should also be sent in the header.
JWK for Decryption

If the decryption of the encrypted fields in the incoming JWE data needs to be performed based on a fixed JWK rather than the "iss" (issuer) information in the data, this option is selected and the decryption process is performed with the selected JWK.

Validate Expiration Time

The incomingJWT/JWE data contains information about when it was created in the "iat" claim. The "exp" claim contains information about how long after "iat" it will expire. If the "Validate Expiration Time" option is selected, these two values are added together and compared to the time the request was received, and it is expected to be less than or equal to it. If it is invalid, an error is returned.

Validate SignIt is marked to verify whether the signature in the incoming JWT/JWE data is valid or not.
Validate with Client's JWK

If desired, this option is selected to process the signature contained in the JWT/JWE data depending on the user identity. The "iss" (issuer) information in the data is checked to see if it belongs to the users in the Apinizer User Identity Pool. If a user is found whose username/API key matches the issuer information, verification is done with the JWK signature owned by that user.

JWK for Validation

If the signature in the incoming JWT/JWE data is to be verified based on a fixed JWK instead of the "iss" (issuer) information in the data, this option is selected and verification is performed with the JWK selected here.

Strip and Decode JWT/JWE Payload

This field is used to decode/decrypt the data for which the validation process is performed. If "All" is selected, all data is decoded and if "Partial" is selected, only the specified part is decoded. If "None" is selected, decoding is not performed.

Claim to Decode

When the "Strip and Decode JWT/JWE Payload" field value is selected "Partial", it specifies which of the claims in the payload of the JWT/JWE are to be decoded.

Target for Decoded Claims Indicates where in the message the decoded value will be placed after successful validation/decryption.
Target Variable for Decoded Claims Variable used to indicate where the target is in the message if it is a particular part of the message.
Authorization Configuration

This option is activated to configure the access control according to the roles of the users. Please visit the Authorization page for more information.

You can visit the Policies page for the details of the Conditions and Error Message Customization panels.