In this scenario, it will be explained how to control the JSON Web Token (JWT) sent to an API named Swagger PetStore, which is built on the REST architecture, using the JOSE Validation policy.

The following image illustrates the JOSE Validation workflow that will be applied to a request.

1) Creating the API Proxy

In this scenario, the REST API called Swagger Petstore (https://petstore.swagger.io) will be used.

Firstly, it is necessary to define this address as an API Proxy.

To do that, click on the API Proxies option under the Development menu.


Since no proxy definition has been made previously, the page will display the message No records found.

Click on the Create button located in the top right corner and start creating a new Proxy.


In this section, you need to select the type of API Proxy you want to create.

Since the API type to be used in this scenario is Swagger 2.X, select that type.

By clicking on Enter URL, you will be taken to the screen where you can enter the URL of the API to be used.


As shown in the image below, you need to enter the desired URL in the URL field and click on the Parse button.


After the parsing process is completed, the screen shown in the image below will appear.

You can make configuration settings for the API Proxy using this screen. For detailed information about these settings, you can visit the API Proxy Creation documentation.

Here are the settings for the API Proxy that will be used in our scenario:


After the save process, click on the Develop tab on the page that appears.


Here, the endpoints belonging to the REST API are listed.

By using the All option, you can add the JOSE Validation policy to all methods or a specific method.


To perform signature verification in JOSE Validation, JSON Web Key (JWK) Sets need to be added.

2) JSON Web Keypair Sets

To add JSON Web Key (JWK) Sets, go to the JSON Web Keypair Sets menu under Secret Manager in the left menu.


Click on the Create button, located in the rectangular box in the top right corner of the screen that appears.


This document will focus on generating JSON Web Key (JWK) Sets using either Apinizer or Keycloak (a third-party software).


2.1) Generating JWK via Apinizer:

In this scenario, the Name field will be used as testjwk senaryo.

Use the "Generate JWK option to create a JWK with the desired algorithm.


After using the Generate button, the JWK is created. The resulting public key is ready to be used for verification purposes.

As a final step, click on the Save And Deploy button to save the changes.


2.2) Generating JWK via Keycloak:

Clicking on the Public key field in the Realm Settings > Keys menu in Keycloak retrieves the Public key.



The Public key should be converted to JWK using a third-party tool. For this purpose, the following address can be used: https://russelldavies.github.io/jwk-creator/

To save the public key converted to JWK to Apinizer;

  • Go to the JSON Web Keypair Sets page under the Secret Manager menu in the left sidebar.

  • In this scenario, the Name field will be used as testjwk senaryo.

  • Select the Paste the content of the JWT option and enter the JWK into the respective field.

  • In the Key id field, enter the value from the Kid field in Keycloak, then click the Save and Deploy button to save the changes.

3) Adding Authentication Policies

Now the JOSE Validation policy is ready to be used.

Go to the page where the API Proxies are listed and select the proxy named Swagger Petstore.

Then, go to the Develop tab and click on the Add Policy button.

On the opened page, select the JOSE Validation policy.


Selected


If you want to examine the statements on this screen individually, you can visit the JSON Web Keypair Sets page for more details.

After making the necessary adjustments as shown in the image below, click on the Save button located in the top right corner.

4) Testing the API Proxy

Select the proxy named Swagger Petstore.

Under the Develop tab, select the endpoint /pet/findByStatus.

Click on the Test Endpoint to test this endpoint.

In the URL, enter the desired status value as pending, and when the Send button is clicked, it is observed that the response is an error message.

Insert the Authorization header into the Headers section, and use the token information generated from Keycloak or Apinizer here.

Upon clicking the Send button, the received response will be displayed within the rectangular box below.


If an invalid token value is used, an error will be encountered.