Hello,
What is the recommended way for validating that a JWT was issued by a
specific API Manager instance in a case where the backend web service
lives on a separate server and needs to be certain that a given request
passed through the APIM Gateway authentication and authorization mechanisms?
I know that the header fields in the JWT include an 'x5t' field which is
an encoded reference to a certificate in the tenant key store, as
detailed here:
https://asankastechtalks.wordpress.com/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/
Since the backend web service is on a separate server, do we need to
distribute the public key to it somehow? Also, how can we update the
certificate that is used to sign the JWT since right now it is using the
default?
Thanks!
Joe
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
