JWT (3rd Party) Authentication Policy allows JWT tokens generated by a 3rd party tool, for example Keycloak, to be verified on Apinizer.

In order for the JWT token produced by the 3rd party to be verified, the Public Key of this 3rd party must be added to the policy. The Public Key can be added to the policy either as is or with a certificate.

The image containing JWT (3rd Party) Authentication Policy settings is given below:


The JWT (3rd Party) Authentication Policy fields are shown in the table below.

Field

Description

Description

An optional description of the policy that may be useful for usage and management activities.

Clear Authentication Information

It ensures that all existing authentication information, if any, is deleted in the message content. In this case, if there is an Authorization Information in the request from the client, this information is deleted and not sent to the Backend API.

Add Client Info to Header

If this option is checked, username of the authenticated user will be sent to the Backend API in a header when the authentication is successful. The image containing the process of sending a request with token information via Apinizer Test Console is given below:

Authenticated User Header Name

If the Add Client Info to Header option is checked, the value of this field is used as the name of the header to put the authenticated username. 

Source of Key

In order to use a certain key or a certificate containing a key as a source, one of the Key or Certificate options must be selected.

Create a New Key

It appears when the Key option is checked in the Source of Key section.

A new key is added to be used for validation of the JWT token. (Please visit the Keys page for the details of adding or managing new Keys)

Key

It appears when the Key option is checked in the Source of Key section.

The key to be used for validation of the JWT token is selected from the list. 

Create a New Certificate

It appears when the Certificate option is checked in the Source of Key section.

A new certificate is added to be used for validation of the JWT token. (Please visit the Certificates page for the details of adding or managing new Certificates)

Certificate

It appears when the Certificate option is checked in the Source of Key section.

The certificate to be used for validation of the JWT token is selected from the list.

Expected Audience

It is optional to write what the expected "aud" value should be as the target audience in the JWT token. If this field is full, the value entered as "aud" value should come in the token.

Authorization Configuration

This option is activated to configure the access control according to the roles of the users. Role or "scope" information is taken from the "scope" field in the JWT token value and sent to the authorization. Please visit the Authorization page for more information.

You can visit the Policies page for the details of Conditions and Error Message Customization panels.