LinkedIn
Twitter
1 ACCEPTED SOLUTION
Nope, you cannot use that syntax. The uri attribute is not interpreted as a message template, so string inside curly braces in that attribute will not be treated as references to variables. It's just a URI with curly braces!
There is a way to refer to a single variable, and that is with the yet-to-be-documented but currently supported (in Apigee X and hybrid) uriRef attribute. It looks like this:
<VerifyJWT name='VJWT-1'>
<Algorithm>RS256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS uriRef='variable-containing-jwks-endpoint-uri'/> <!-- new -->
</PublicKey>
<Source>request.header.token</Source>
</VerifyJWT>
So you will need to set a single variable to contain your URI. Probably with a preceding AssignMessage policy, configured like this:
<AssignMessage name='AV-JWKS-URI'>
<AssignVariable>
<Name>variable-containing-jwks-endpoint-uri</Name>
<Template>https://{okta_domain}/oauth2/{okta_client_id}/v1/keys</Template>
</AssignVariable>
</AssignMessage>
The request to document this new uriRef attribute is tracked under the internal reference b/230341213 .
One further note - the Audience element also does not get interpreted as a Message Template. You can specify a fixed value, or a reference to a variable. Per the documentation for the VerifyJWT policy:
It sort of frustrating that the message templates are not used everywhere but , .... that's the way it is.
Nope, you cannot use that syntax. The uri attribute is not interpreted as a message template, so string inside curly braces in that attribute will not be treated as references to variables. It's just a URI with curly braces!
There is a way to refer to a single variable, and that is with the yet-to-be-documented but currently supported (in Apigee X and hybrid) uriRef attribute. It looks like this:
<VerifyJWT name='VJWT-1'>
<Algorithm>RS256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS uriRef='variable-containing-jwks-endpoint-uri'/> <!-- new -->
</PublicKey>
<Source>request.header.token</Source>
</VerifyJWT>
So you will need to set a single variable to contain your URI. Probably with a preceding AssignMessage policy, configured like this:
<AssignMessage name='AV-JWKS-URI'>
<AssignVariable>
<Name>variable-containing-jwks-endpoint-uri</Name>
<Template>https://{okta_domain}/oauth2/{okta_client_id}/v1/keys</Template>
</AssignVariable>
</AssignMessage>
The request to document this new uriRef attribute is tracked under the internal reference b/230341213 .
One further note - the Audience element also does not get interpreted as a Message Template. You can specify a fixed value, or a reference to a variable. Per the documentation for the VerifyJWT policy:
It sort of frustrating that the message templates are not used everywhere but , .... that's the way it is.
