JWT Authentication
JWT Authentication policy is used for configuration and validation of messages sent with JWT tokens generated by Apinizer Token Service.
With the configuration options on this screen, details of how Apinizer will generate tokens for the API Proxy to which this policy is added are given.
Most of the configuration options on this screen are related to how the JWT token will be generated. For more information about token generation, you can visit the Token Service page.
The picture below shows the policy settings:
The JWT Authentication fields are shown in the table below.
Field | Description |
|---|---|
Name | The name can be written to facilitate the use and management of the policy. You will need this name during the management and selection of policies. |
Description | An optional description of the policy that may be useful for usage and management activities. |
| Manage From ACL/Manage From This Policy | It is selected where the configuration settings will be managed, either through the policy or over the ACL. When the "Manage From This Policy" option is activated, the following fields appear. If the "Manage From ACL" option is selected, the settings are made via the ACL panel on the Credentials page. For detailed information, see the Credential Management page. |
| Grant Type | Specifies how the Token Service should validate user information. If "Client Credentials" is selected as the value, the Identity/Role/Group Service is NOT available. |
| Show API Key | Appears when defining a local policy for an API Proxy or API Proxy Group or applying a global policy to them. It is not available in the global policy definition screen. Specifies for which API Proxy or API Proxy Group the client will receive the token. It is an important data for the Token Service. If desired, it can be viewed/changed by clicking this link. |
| Identity/Role/Group Service | The Identity Provider Service to authenticate the users. Please visit the Identity Providers page for more information. |
| Check Client Address | Appears if "Security Manager" is selected as the identity provider service. If this option is enabled and the IP information was specified while defining the user, it is also checked whether the request comes from the IP(s) given for this user. |
| Token Never Expires | If checked, the token does not become invalid over time, it can be used as many times as desired. |
| Token Expires In | Specifies the lifetime during which the token will be available. |
| Refresh Token Allowed | Activates the feature to refresh the token. |
| Refresh Token Count | Specifies how many times the token can be refreshed. |
| Refresh Token Expires In | Specifies how long the token will be available after each refresh. |
| JWT Signature Algorithm | It is used to select the signature algorithm to be used when generating the token. |
| Allow URL Parameters | When sending a request for token generation to the Token Service, information is only allowed to be sent in the message body by default. If it is desired to allow this information to be sent as a URL parameter, this feature can be activated with this option. It is recommended not to be used as it will pose a risk in terms of security. |
| Clear Authentication Information | It ensures that all existing authentication information, if any, is deleted in the message content. In this case, if there is an Authorization Information in the request from the client, this information is deleted and not sent to the Backend API. |
Add Client Info to Header | If this option is checked, username of the authenticated user will be sent to the Backend API in a header when the authentication is successful. The default name of the header is X-Authenticated-UserId and can be changed if desired. |
| Authenticated User Header Name | If the Add Client Info to Header option is checked, the value of this field is used as the name of the header to put the authenticated username. |
| Authorization Configuration | This option is activated to configure the access control according to the roles of the users. Role or "scope" information is taken from the "scope" field in the JWT token value and sent to the authorization. Please visit the Authorization page for more information. 
It should be noted that the "Scope" values are case sensitive. |
- The JWT Authentication Policy can only be applied at the API Proxy or API Proxy Group level. It cannot be applied at the method or endpoint level.
- A single API Proxy or API Proxy Group cannot have multiple JWT Authentication Policies. If multiple policies are added, only the first policy will generate a token. Therefore, only one policy should be defined.
Receiving a Token
For token receiving methods and examples, visit the Token Service page.
You can visit the Policies page for the details of the Conditions and Error Message Customization panels.