Requirement:
APIGEE will get an encrypted and signed token.
Requirement1: In APIGEE, we would like to decrypt and validate the token.
Requirement2: In APIGEE, we would like to extract some value from the token.
Questions:
- Is it the best practice for APIGEE to fulfill above requirement?
- What’s the standard process for APIGEE handle an encrypted and signed token?
- How to implement it? As below documents, how to combine two policies? I assume we need to use verify-an-encrypted-jwt first, because we need to decrypt it, and we need to verify-a-signed-jwt, but how should we get the decrypted token from #verify-an-encrypted-jwt. Could you please recommend best practice ?
- From documents APIGEE have embedded policy to verify-an-encrypted-jwt https://cloud.google.com/apigee/docs/api-platform/reference/policies/verify-jwt-policy#verify-an-enc...
- From documents APIGEE have embedded policy to verify-a-signed-jwt https://cloud.google.com/apigee/docs/api-platform/reference/policies/verify-jwt-policy#verify-a-sign...
I assume that for verify-a-signed-jwt it should be a source from #1. But what's the value of source
And regarding to this document https://cloud.google.com/apigee/docs/api-platform/reference/policies/jwt-policies-overview#signing-v...
"It's possible to use both encrypted and signed JWT together, especially when the encrypted JWT uses an asymmetric cryptography algorithm (RSA, ECDSA)"
but how ? i need to decrypted it and validate it
LinkedIn
Twitter
