You can deploy APIs on Mulesoft Anypoint and configure it to validate access_tokens generated by CYM-Identity.
Element | Comment |
---|
JWT Origin | Access tokens generated by CYM-Identity are Bearer tokens. You can pass them as a different header, but it's just a recommendation to use Bearer Authentication in the Authorization header. This will allow your API to look familiar to other developers who are used to using Bearer Tokens. |
JWT Signing Method | CYM-Identity only supports RSA |
JWT Signing Key Length | Use the value which maps to the access token signing alg configured for your Resource Server |
JWT Key Origin | We strongly recommend to use the JWKS URL. It allows for easier management of key rotation |
JWKS URL | URL for your Realm's JWKS. Make sure to use the same Realm as the Resource Server (https://{realm.url}/oauth/{realm.name}/jwks) |
JWKS Caching Time To Live | This will depend on how often you rotate your JWKS. |
Skip Client ID Validation | We strongly recommend to let Anypoint validate the client_id of the calling application. This allows you to tap into the native security policies of Anypoint. In order to do this, refer to the Client Registration section below |
Client ID Expression | You can use the default behavior #[vars.claimSet.client_id] |
Validate Audience Claim | We strongly recommend to let Anypoint validate the aud parameter. You'll need to configure it to match the client_id of your Resource Server |
Validate Expiration Claim | We strongly recommend to let Anypoint validate the exp parameter. |
Validate Not Before Claim | We strongly recommend to let Anypoint validate the nbf parameter. |
Validate Custom Claim | You can add more validation rules that would apply. Use the below best practices for an enhanced security |
You should only accept JWTs where typ == 'at+jwt'
Not all access_tokens allow API access. You should add validation on the scopes (scp
claim on the JWT body) of each access_token received.
For example, you can validate the scp
parameter of the JWT and only allow methods which were granted. You can map a scp: ['contacts.read']
to only allow GET methods on your API
You can configure CYM-Identity and Mulesoft Anypoint to provision the same client in both systems. This process allows you to strongly validate and control access to API on Anypoint
coming soon :)
coming soon :)