how to JWT with SAP API Management
Murtaza 🐳
Posted on February 12, 2023
SAP API Management is a cloud-based, API-first platform for developing and managing APIs. It enables organizations to securely expose data, systems, and services from SAP and other sources. With SAP API Management, companies can leverage their existing investments in SAP and non-SAP systems while providing a unified, modern API layer to build, scale, and manage their APIs. This comprehensive approach to API management empowers organizations to accelerate their digital transformation and create new business opportunities.
What is JWT?
JSON Web Token (JWT) is an open standard for securely transmitting information (e.g., authentication claims) between two parties. It is a compact and self-contained way of representing data, usually in the form of a JSON object. JWT is often used in web applications and API authentication, allowing users to transfer data using tokens securely. JWT tokens are signed with a secret key, ensuring that the data is not tampered with during transport. JWT is becoming increasingly popular due to its simplicity and flexibility, as it can be used in various scenarios where secure information exchange is needed.
The below diagram demonstrates architectural implementation;
Our next question would be; What purpose does an Identity provider serve?
An identity provider (IdP) is a service or system that provides users with secure access to applications and other services in a single sign-on environment. It is responsible for authenticating and authorizing user access. It is used to manage user identities and their access to applications securely. Additionally, it can provide single sign-on (SSO) access to multiple applications or websites, allowing users to log in once and securely access multiple services without needing multiple logins.
Let us go through the flow shown in the diagram above;
- The user sends a request to the IdP with a valid username and password.
- The server authenticates the user and creates a unique JWT token.
- The server sends the JWT token back to the user.
- The user then stores the JWT token in their local storage.
- The user requests the SAP API Management with the JWT token.
- The server verifies the JWT token and grants access to the requested resource.
Some examples of IdP are;
- Amazon Cognito
- SAP Customer Data Cloud
- Auth0
What happens inside SAP API Management?
Multiple policies are used which are available out of the box in SAP API Management,
SAPI API Management Proxy Pre-Flow
- Extract JWT policy is used to retrieve the JWT token and store it in a variable for later use,
<!-- Extract content from the request or response messages, including headers, URI paths, JSON/XML payloads, form parameters, and query parameters -->
<ExtractVariables async="true" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<!-- the source variable which should be parsed -->
<Source clearPayload="false">request</Source>
<!-- Specifies the XML-formatted message from which the value of the variable will be extracted -->
<Header name="Authorization">
<Pattern ignoreCase="true">Bearer {jwt}</Pattern>
</Header>
<VariablePrefix>inbound</VariablePrefix>
</ExtractVariables>
- Verify JWT policy is used to verify the token against the certificate saved in the policy initially retrieved when implementing the API Proxy, this can also be retrieved by key-value pair but for this implementation, we did not overcomplicate it.
<!-- Verify JWT TOken -->
<VerifyJWT async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<Algorithm>RS256</Algorithm>
<Source>inbound.jwt</Source>
<PublicKey>
<Value>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</Value>
</PublicKey>
<!--<Subject>subject-subject</Subject>-->
<Issuer>https://dev-xxxx.au.auth0.com/</Issuer>
<Audience>https://dev-xxxx.au.auth0.com/api/v2/</Audience>
<!--<AdditionalClaims>-->
<!-- <Claim name="additional-claim-name" type="string">additional-claim-value-goes-here</Claim>-->
<!--</AdditionalClaims>-->
</VerifyJWT>
- decode JWT policy decodes the token to a JSON format to access individual values and scopes
<!-- Decode JWT TOken -->
<DecodeJWT async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<Source>inbound.jwt</Source>
</DecodeJWT>
Next, we could send encoded JWT to the microservice for further validation; however, it is not required because the request is authenticated.
In conclusion, SAP API Management is an incredible solution for businesses of all sizes. With an intuitive user interface and comprehensive toolset, SAP API Management makes it easier to manage security, control, and monetize APIs.
The key to success in today’s digital world is securely and efficiently exposing data, services and applications to customers, partners and employees. SAP API Management provides the perfect solution to this challenge, with a comprehensive suite of features designed to make it easier to build, secure and manage APIs.
From the moment you open the SAP API Management dashboard, you’ll appreciate its ease of use. All the tools and features you need are clearly laid out, with a simple drag-and-drop interface for creating new APIs. The intuitive user interface allows you to quickly and easily configure your APIs and access control settings. You can easily integrate with other systems, such as Salesforce or Microsoft Dynamics, or use the built-in analytics and reporting tools to get real-time insights into your API usage.
SAP API Management also provides out-of-the-box security features. It includes a variety of authentication methods, such as OAuth 2.0, JWT and OpenID Connect, that ensure your APIs remain secure. Additionally, it provides an easy-to-use visual editor for creating custom authorization policies, so you can ensure only the users you want have access to your APIs.
Finally, SAP API Management makes it easy to monetize your APIs. It provides tools for setting up subscription plans and charging for usage, allowing you to unlock additional revenue streams.
In short, SAP API Management offers an all-in-one solution to manage, control and monetize APIs. Its intuitive user interface and comprehensive toolset make it the perfect solution for businesses of any size.
Posted on February 12, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.