Re: [Apiman-user] Generic JWT plugin policy

I should clarify that the purpose of this plugin is to work with any JWT provider (rather than being Keycloak-focussed). Let me know how it works for you! On 1 December 2016 at 16:06, Marc Savy <marc.savy(a)redhat.com&gt; wrote: > Hi, > > I just pushed a (very simple) generic JWT plugin policy to master. > > To try it out right now you will need to build it. Just check out the > apiman/apiman-plugins repo and execute `mvn clean install`. The plugin > coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V: > 1.2.9-SNAPSHOT. > > It isn't yet as feature-rich as the Keycloak plugin, but you can: > > - Require JWT. > - Require claims (e.g. sub = foo). > - Require transport security (TLS, SSL). > - Require JWT be cryptographically signed (aka. JWS). > - Validate JWT against a provided public key. > - Remove auth tokens (prevent them reaching the backend). > - Set maximum clock skew. > > I'll expand on this shortly to add something that will hopefully add some > commonly-used features from the Keycloak plugin: > > - Allow extraction of roles for authorization > - Forward token fields as headers (e.g. X-Sub = sub) > > Regards, > Marc >