- Property Manager name: JWT
- Behavior version: The
v2023-01-05rule format supports theverify_json_web_token_for_dcpbehavior v1.0. - Rule format status: GA, stable
- Access: Read/Write
- Allowed in includes: Yes
This behavior allows you to use JSON web tokens (JWT) to verify requests for use in implementing IoT Edge Connect, which you use the dcp behavior to configure. You can specify the location in a request to pass a JSON web token (JWT), collections of public keys to verify the integrity of this token, and specific claims to extract from it. Use the verify_json_web_token behavior for other JWT validation.
When authenticating to edge servers with both JWT and mutual authentication (using the dcp_auth_variable_extractor behavior), the JWT method is ignored, and you need to authenticate with a client authentication certificate.
| Option | Type | Description | Requires | |
|---|---|---|---|---|
extract_location | enum | Specifies where to get the JWT value from. | {"displayType":"enum","options":["CLIENT_REQUEST_HEADER","QUERY_STRING","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"],"tag":"select"} | |
CLIENT_REQUEST_HEADER | From the client request header. | |||
QUERY_STRING | From the query string. | |||
CLIENT_REQUEST_HEADER_AND_QUERY_STRING | From both. | |||
primary_location | enum | Specifies the primary location to extract the JWT value from. If the specified option doesn't include the JWTs, the system checks the secondary one. | extract_location is CLIENT_REQUEST_HEADER_AND_QUERY_STRING | {"displayType":"enum","options":["CLIENT_REQUEST_HEADER","QUERY_STRING"],"tag":"select"}{"if":{"attribute":"extractLocation","op":"eq","value":"CLIENT_REQUEST_HEADER_AND_QUERY_STRING"}} |
CLIENT_REQUEST_HEADER | Get the JWT value from the request header. | |||
QUERY_STRING | Get the JWT value from the query string. | |||
custom_header | boolean | The JWT value comes from the | extract_location is either: CLIENT_REQUEST_HEADER, CLIENT_REQUEST_HEADER_AND_QUERY_STRING | {"displayType":"boolean","tag":"input","type":"checkbox"}{"if":{"attribute":"extractLocation","op":"in","value":["CLIENT_REQUEST_HEADER","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"]}} |
header_name | string | This specifies the name of the header to extract the JWT value from. | custom_header is true | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"customHeader","op":"eq","value":true}} |
query_parameter_name | string | Specifies the name of the query parameter from which to extract the JWT value. | extract_location is either: QUERY_STRING, CLIENT_REQUEST_HEADER_AND_QUERY_STRING | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"extractLocation","op":"in","value":["QUERY_STRING","CLIENT_REQUEST_HEADER_AND_QUERY_STRING"]}} |
jwt | string | An identifier for the JWT keys collection. | {"displayType":"string","tag":"input","type":"text"} | |
extract_client_id | boolean | Allows you to extract the client ID claim name stored in JWT. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
client_id | string | This specifies the claim name. | extract_client_id is true | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"extractClientId","op":"eq","value":true}} |
extract_authorizations | boolean | Allows you to extract the authorization groups stored in the JWT. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
authorizations | string | This specifies the authorization group name. | extract_authorizations is true | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"extractAuthorizations","op":"eq","value":true}} |
extract_user_name | boolean | Allows you to extract the user name stored in the JWT. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
user_name | string | This specifies the user name. | extract_user_name is true | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"extractUserName","op":"eq","value":true}} |
enable_rs256 | boolean | Verifies JWTs signed with the RS256 algorithm. This signature helps to ensure that the token hasn't been tampered with. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
enable_es256 | boolean | Verifies JWTs signed with the ES256 algorithm. This signature helps to ensure that the token hasn't been tampered with. | {"displayType":"boolean","tag":"input","type":"checkbox"} |