verifyJsonWebTokenForDcp

  • Property Manager name: JWT
  • Behavior version: The v2023-01-05 rule format supports the verifyJsonWebTokenForDcp behavior v1.0.
  • Rule format status: GA, stable
  • Access: Read-write
  • Allowed in includes: Yes

This behavior allows you to use JSON web tokens (JWT) to verify requests for use in implementing Io‚ÄčT Edge Connect, which you use the dcp behavior to configure. You can specify the location in a request to pass a JSON web token (JWT), collections of public keys to verify the integrity of this token, and specific claims to extract from it. Use the verify‚ÄčJson‚ÄčWeb‚ÄčToken behavior for other JWT validation.

When authenticating to edge servers with both JWT and mutual authentication (using the dcp‚ÄčAuth‚ÄčVariable‚ÄčExtractor behavior), the JWT method is ignored, and you need to authenticate with a client authentication certificate.

OptionTypeDescriptionRequires
extract‚ÄčLocationenum

Specifies where to get the JWT value from.

{"displayType":"enum","options":["CLIENT_REQUEST_HEADER","QUERY_STRING","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"],"tag":"select"}
CLIENT_‚ÄčREQUEST_‚ÄčHEADER

From the client request header.

QUERY_‚ÄčSTRING

From the query string.

CLIENT_‚ÄčREQUEST_‚ÄčHEADER_‚ÄčAND_‚ÄčQUERY_‚ÄčSTRING

From both.

primary‚ÄčLocationenum

Specifies the primary location to extract the JWT value from. If the specified option doesn't include the JWTs, the system checks the secondary one.

extract‚ÄčLocation is CLIENT_‚ÄčREQUEST_‚ÄčHEADER_‚ÄčAND_‚ÄčQUERY_‚ÄčSTRING
{"displayType":"enum","options":["CLIENT_REQUEST_HEADER","QUERY_STRING"],"tag":"select"}
{"if":{"attribute":"extractLocation","op":"eq","value":"CLIENT_REQUEST_HEADER_AND_QUERY_STRING"}}
CLIENT_‚ÄčREQUEST_‚ÄčHEADER

Get the JWT value from the request header.

QUERY_‚ÄčSTRING

Get the JWT value from the query string.

custom‚ÄčHeaderboolean

The JWT value comes from the X-Akamai-DCP-Token header by default. Enabling this option allows you to extract it from another header name that you specify.

extract‚ÄčLocation is either: CLIENT_‚ÄčREQUEST_‚ÄčHEADER, CLIENT_‚ÄčREQUEST_‚ÄčHEADER_‚ÄčAND_‚ÄčQUERY_‚ÄčSTRING
{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"extractLocation","op":"in","value":["CLIENT_REQUEST_HEADER","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"]}}
header‚ÄčNamestring

This specifies the name of the header to extract the JWT value from.

custom‚ÄčHeader is true
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"customHeader","op":"eq","value":true}}
query‚ÄčParameter‚ÄčNamestring

Specifies the name of the query parameter from which to extract the JWT value.

extract‚ÄčLocation is either: QUERY_‚ÄčSTRING, CLIENT_‚ÄčREQUEST_‚ÄčHEADER_‚ÄčAND_‚ÄčQUERY_‚ÄčSTRING
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"extractLocation","op":"in","value":["QUERY_STRING","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"]}}
jwtstring

An identifier for the JWT keys collection.

{"displayType":"string","tag":"input","type":"text"}
extract‚ÄčClient‚ÄčIdboolean

Allows you to extract the client ID claim name stored in JWT.

{"displayType":"boolean","tag":"input","type":"checkbox"}
client‚ÄčIdstring

This specifies the claim name.

extract‚ÄčClient‚ÄčId is true
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"extractClientId","op":"eq","value":true}}
extract‚ÄčAuthorizationsboolean

Allows you to extract the authorization groups stored in the JWT.

{"displayType":"boolean","tag":"input","type":"checkbox"}
authorizationsstring

This specifies the authorization group name.

extract‚ÄčAuthorizations is true
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"extractAuthorizations","op":"eq","value":true}}
extract‚ÄčUser‚ÄčNameboolean

Allows you to extract the user name stored in the JWT.

{"displayType":"boolean","tag":"input","type":"checkbox"}
user‚ÄčNamestring

This specifies the user name.

extract‚ÄčUser‚ÄčName is true
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"extractUserName","op":"eq","value":true}}
enable‚ÄčRS256boolean

Verifies JWTs signed with the RS256 algorithm. This signature helps to ensure that the token hasn't been tampered with.

{"displayType":"boolean","tag":"input","type":"checkbox"}
enable‚ÄčES256boolean

Verifies JWTs signed with the ES256 algorithm. This signature helps to ensure that the token hasn't been tampered with.

{"displayType":"boolean","tag":"input","type":"checkbox"}