The JWT policies of SAP Cloud Platform API Management enables you to generate, verify and decode the JWT token.  In the Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management we have covered the modeling and configuration of JWT verification  policies for various Identity providers like SAP Cloud Platform XS UAA, Okta , Azure Active Directory . In this part of the blog series, we have covered the steps for Configuring the JWT token verification policy for SAP Cloud Platform XS UAA.

Pre-requisite

• Part 1: Modeling the JWT token verification flows in SAP Cloud Platform API Management


• A micro-service built, deployed and authenticated using SAP Cloud Platform XS UAA

Read OAuth Issuer and JWKS URI for your SAP Cloud Platform XS UAA

• Logon to your SAP Cloud Platform Cloud Foundry environment.


• Select your deployed micro-service which is protected using SAP Cloud Platform XS UAA.


• From the your Cloud Foundry application, navigate to Service Bindings, select the Service binding for your SAP Cloud Platform XS UAA service. Click on Show sensitive data to view your client id & secret.

 

• Copy the selected url field, the required Issuer & JWKS_URL can be generated based on this url field.

• To get your JWKS URI and JWT Issuer, query your OpenID connect metadata URL of SAP Cloud Platform XS UAA by replacing the place holder {your_xs_uaa_service_binding_url_value} with the url field value copied in the previous step in {your_xs_uaa_service_binding_url_value}/.well-known/openid-configuration and calling it from a browser.


• From the OpenID connect metadata URL response , copy the value of issuer and jwks_uri fields.

Configure OAuth Issuer and JWKS URI in SAP Cloud Platform API Management

• Navigate to API Portal service of your SAP Cloud Platform API Management.

• Navigate to Develop tab and select the API Proxy to you have modeled the JWT token verification policies. Refer part 1 of this blog series to model the JWT verification policies for your API Proxy.

• From the selected API Proxy details view, click Policies to open Policy Designer.

 

• Click Edit on the policy designer, to enter edit mode.

 

• Select the policy readJWKS policy and replace the URL element with the jws_uri element of your OpenID connect metadata URL response.

• Select the policy verifyJWT policy and replace the URL element with the issuer element of your OpenID connect metadata URL response.

 

• Select Update to persist all the policy changes

 

• Click Save to persist all the API Proxy changes.

Finally testing the JWT token verification flows

• For the testing of this flow, the Client Credentials flow was used, simply because it is easier to test it from a test console like Postman.


• From the your Cloud Foundry application, navigate to Service Bindings, select the Service binding for your SAP Cloud Platform XS UAA service. Click on Show sensitive data to view your client id & secret.

 

• Copy the clientid and clientsecret from the Service binding data.

• Use this OAuth client id and secret to get access token from SAP Cloud Platform XS UAA token issuer endpoint. Details is covered in this documentation.


• Call your API Proxy endpoint passing in your OAuth access received from SAP Cloud Platform XS UAA in HTTP header named authorization in the format Bearer {oauth_access_token}.


• In case of successful JWT token validation, the response from your target server would be returned.

• Passing invalid access token or an empty access token will result in error with HTTP status code set to 401.

 

Refer Blog Series : JSON Web Tokens (JWT) verification using SAP Cloud Platform API Management for more blogs on JWT verification policies.