[Dev] How can a back end service validate the JWT token received from WSO2 AM?

[Rajkumar Rajaratnam]

Hi,

I have hosted my service in WSO2 AS and I am exposing them as APIs in WSO2
AM. I have configured AM to send JWT tokens to the back end service. My
back end service is able to receive and decode the JWT tokens.

My question is, how can a service validate that JWT token was sent from
valid party (Api Manager), but not from some advisory that crafted token?

Please advice.

Thanks.

-- 
Rajkumar Rajaratnam
Committer  PMC Member, Apache Stratos
Software Engineer, WSO2

Mobile : +94777568639
Blog : rajkumarr.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can a back end service validate the JWT token received from WSO2 AM?

[Lakshman Udayakantha]

Hi Rajkumar,

you can sign the JWT token using a signature algorithm. configuring
SignatureAlgorithm/
tag you can achieve this. see the doc here [1]

[1]
https://docs.wso2.com/display/AM170/Passing+Enduser+Attributes+to+the+Backend+Using+JWT

On Wed, Mar 18, 2015 at 10:00 PM, Rajkumar Rajaratnam rajkum...@wso2.com
wrote:

 Hi,

 I have hosted my service in WSO2 AS and I am exposing them as APIs in WSO2
 AM. I have configured AM to send JWT tokens to the back end service. My
 back end service is able to receive and decode the JWT tokens.

 My question is, how can a service validate that JWT token was sent from
 valid party (Api Manager), but not from some advisory that crafted token?

 Please advice.

 Thanks.

 --
 Rajkumar Rajaratnam
 Committer  PMC Member, Apache Stratos
 Software Engineer, WSO2

 Mobile : +94777568639
 Blog : rajkumarr.com

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev




-- 
Lakshman Udayakantha
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
Mobile: *0711241005*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev