SlideShare a Scribd company logo

MuleSoft JWT Demystified

Download as PPTX, PDF
P
Patryk Bandurski

The document summarizes a MuleSoft meetup event about JSON Web Tokens (JWT). The agenda included introductions, an introduction to JWT, a demonstration of a JWT validation policy in MuleSoft, generating JWTs, and a quiz with prizes. The speaker discussed what JWTs are, their structure, common claims, how to validate and consume JWTs using MuleSoft policies, and generating JWTs programmatically or with a custom component.

Technology
Related topics:
Mulesoft Meetups
1 of 53
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Most read
40
Most read
41
42
43
44
45
46
47
48
49
50
51
52
53
06/10/2020 Warsaw MuleSoft Meetup Group JSON Web Token demystified
2 ● Introductions & Community Updates ● Introduction to JWT ● JSON Validation Policy ● Consuming service with JWT validation policy ● Quiz & Lottery ● What’s next & Close Agenda
Introduction
Our partners 4
5 ● Subject Matter Expert at PwC Poland ● MuleSoft Ambassador ● MuleSoft Meetup Leader for Warsaw, Poland ● Working with MuleSoft products for over 8 years now ● One of Salesforce Trailblazers https://trailhead.salesforce.com/trailblazers/patryk-bandurski Organizer / Speaker Check out my integration blog https://ambassadorpatryk.com/blog
Share the event 6 ● Share the Meetup in your social media ● Use Hashtags #MuleSoftMeetup #WarsawMuleSoftMeetup Thanks 
MuleSoft Connect:Now Community Updated
8 MuleSoft CONNECT:Now MuleSoft CONNECT:Now is a virtual experience bringing you a full program of technical sessions and content, streamed online for free! Register for free: https://connect.mulesoft.com
9 Developer Meetups at CONNECT:Now events Meet the MuleSoft Community! ● Hear technical use cases from customer and partner MuleSoft experts around the globe ● Live chat with MuleSoft Ambassadors! JOIN ONLINE FOR FREE: EMEA: October 8, 2020 AMER: October 13, 2020 APAC: October 20, 2020 Register: https://connect.mulesoft.com/
Check out the technical presentations below: Developer Meetup at CONNECT:Now EMEA ● Twitter ○ Felipe Ocadiz, MuleSoft Ambassador, IT Integration Engineer ○ How to become an Anypoint Studio ninja ● Saint-Gobain ○ Francis Edwards, MuleSoft Ambassador, Integration Analyst ○ Useful integration tools JOIN FOR FREE: October 8, 2020 (10:30am-11:15am BST) Register: https://connect.mulesoft.com/events/connect/emea
Check out the technical presentations below: Developer Meetup at CONNECT:Now Americas ● AT&T ○ Brad Ringer, Principal System Engineer ○ MuleSoft Runtime Fabric: The road to success ● MuleSoft Ambassadress ○ Alexandra Martinez, Sr. MuleSoft Developer, Bits in Glass ○ Reviewing a complex DataWeave transformation JOIN FOR FREE: October 13, 2020 (10:30am-11:15am PDT) Register: https://connect.mulesoft.com/events/connect/amer
Check out the technical presentations below: Developer Meetup at CONNECT:Now JAPAC ● Datacom ○ Mary Joy Sabal, Sr. Integration Developer ○ Using Maven Archetypes to create MuleSoft API Project Templates ● MuleSoft Ambassador ○ Sravan Lingam, Consultant, Virtusa ○ Create a virtual Tic-Tac-Toe game using Object Store v2 JOIN FOR FREE: October 20, 2020 (2:30pm-3:15pm AEDT) Register: https://connect.mulesoft.com/events/connect/japac
13 Follow Mariana Lemus on LinkedIn
MuleSoft Ambassadors ● People to learn from ● Active in the MuleSoft Community ● Worth following ● 20 MuleSoft Ambassadors: https://developer.mules oft.com/dev/ambassado rs 14
● MuleSoft Partner Calendar MuleSoft Partnership ● Free online tutored Development Fundamentals available now! ● Visit Partnership Calendar https://www.mulesoft.com/integration-partner/program/calendar ● Other interesting calendars: 15
Introduction JSON Web Token Demystyfied
JSON Web Token „JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.” Auth0 Docs https://tools.ietf.org/html/rfc7515
JWS Structure ● JOSE Header ○ Algorithm used to sign ● Payload ○ Claims – statements about caller/user. We have registered claims, public claims and private claims. ● Signature ○ Signed encoded header and payload parts 18
Payload part of JWS 19 Claim property Claim name Description Example iss Issuer Issuer of the JWT Me sub Subject Subject of the JWT (the user) Bob aud Audience Recipient for which the JWT is intended https://api.ambassadorpatryk.co m nbf Not Before Time before which the JWT must not be accepted for processing. Unix timestamp. 1516239022 iat Issued At Time at which the JWT was issued; can be used to determine age of the JWT. Unix timestamp. 1516239022 id Id Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once) b32737dc-adb0-4faf-8e38- 7d0478f18a2e exp Expiration Time identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. Unix timestamp. 1516239022
Signature base64urlEncoded(Header) + „.” + base64urlEncoded(Payload) 20
JWT Validation Policy
JWT Validation Policy ● Supports ○ RS256, RS384, RS512 (RSA) ○ HS256, HS384, HS512 (HMAC) ● Supports registered claims and custom claims ● JWT Key ○ Static private value ○ Dynamicaly retrieved from JWKS ● Read more -> https://docs.mulesoft.com/api-manager/2.x/policy-mule4-jwt-validation 22
RSA256 with extra validation • Registered claims • Private claims (mandatory, not mandatory) DEMO Setup JWT validation policy
[DEMO] JWT Validation Policy Configuration ● Authorization header ● RSA 256 signing algorithm ● Public key static in policy 24
[DEMO] JWT Validation Policy Configuration ● Do not validate client id ● Validate audience (aud) ○ Expected values one of ■ pl-lb.anypointdns.com ■ Api.patrykbandurski.com ■ test.patrykbandurski.com ● Expiration (exp) is mandatory ● Apply to all methods and resources 25
[DEMO] JWT Validation Policy Generate JWS and place it in authorization header 400 Bad Request – no authorization header 401 Unauthorized – wrong token 26
[DEMO] JWT Validation Policy 27 [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Token was parsed successfully. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Ready to validate the signature of the token. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Token signature successfully validated. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Validating aud claim. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 The server did not identify with the any of the audiences '[aapi.patrykbandurski.com].' DEBUG com.mulesoft.extension.policies.jwt on logging
[DEMO] JWT Validation Policy 28 ● jwt.io ● Generate token ● Aud, iat, exp ● Public & private key ● Remember! Do not use online tools to generate
[DEMO] JWT Validation Policy 29 ● Required and optional private claims ● Static comparison ● Complex expression with DataWeave Required claim email is not present in the JWT. Token will be rejected.
[DEMO] JWT Validation Policy 30 ● Non mandatory claims. ○ Validate when claim name prasent ○ Can be complex – DataWeave – example roles is an Array haveing at least one item. Available values are USER, ADMIN or CONTRIBUTOR ○ Refer to claim via vars.claimSet.[claim- name] In case of failed condition, this will be saved in the log file "Condition ... not met"
JWKS (JSON Web Keys Set) ● Set of keys contains the public keys used to verify any JWT ● JWK (JSON Web Key) – JSON object representing a cryptographic key ● Rotation of the keys at ease ● Key retrieved dynamically 31
JWK { "kty": "RSA", "e": "AQAB", "alg": "RS256", "kid": "uniqueid", "n": "lgyuFifEOODgA4rZP2gQUunm_nM4G5a9aHoLkEosrMPuD4 LClPbke9nn0LUJ4H-M_3rX9- yXhjzhjrduUDcImVMBATN7UsYOxYOZvqUjRf72y1eNjIWMnLBCWB uQZrhqN73ttCOJLg28llI- 65XDfd6qeOlSlGWQD1YSGjX8cHDXoADXOpKrwPZy1ghkJMMtsvFx QNJd8hVvmzPlq-jefOXFOcsBjCB- QQkA3Lty0dScKPKfFQVooZxVhqU_r2wrSvviAdl8pN5yKmhcmT9S 9Ke-mfpJXOnYB9y3Z9xRb0RFQBhrDBLNEc1TDCeRX2RZ- A9pUJ0IbG-b-rFlQYjNOw" } 32
Working with JWKS ● Provide url to JWKS – publicly available ● 503 Service Unavailable– JWKS is not accessible ● 401 Unauthorized – signing error 33
RSA256 using JSON Web Keys Set DEMO Setup JWT validation policy
[DEMO] JWT Validation Policy - JWKS ● JWKS service ● Standard which allows customer to rated public keys 35
[DEMO] JWT Validation Policy - JWKS ● URL to JWKS 36
[DEMO] JWT Validation Policy - JWKS { "keys": [ { "kty": "RSA", "e": "AQAB", "alg": "RS256", "kid": "uniqueid", "n": "…" } ] } 37 JSON Web Keys Set:
Consume 3rd party service with JWT Validation Policy
Generating JWS in Mule ● No native support in MuleSoft ● Salesforce OAuth JWT authentication mechanism ● Custom code: ○ JAVA ■ JJWT library https://github.com/jwtk/jjwt ○ Ruby ■ ruby-jwt library https://github.com/jwt/ruby-jwt ● Mule Custom Component: ○ JWT Component Extension https://github.com/dyeeye/jwt-component
JJWT sample code JwtBuilder builder = Jwts.builder() // (1) .setIssuer(claims.getIssuer()) // (2) .setSubject(claims.getSubject()) .setAudience(claims.getAudience()) .setNotBefore(claims.getNotBefore()) .setIssuedAt(claims.getIssuedAt()) .setId(claims.getId()); String jws = builder .signWith(privKey, SignatureAlgorithm.valueOf(algorithm)) // (3) .compact(); // (4) 40
JWT Component ● Supports signing algorithms ○ RSA 256, 384 and 512 ○ HMAC 256, 384 and 512 ● Claims ○ Registered ○ Private ● Visual support in Anypoint Studio ● Reads keystore from classpath 41
Service secured with JWT Validation Policy RSA DEMO Consume service
[DEMO] Generating JWT 43
[DEMO] Generating JWT ● Removed expected expiration claim ● 401 in return 44
Questions?
Quiz
Trivia Quiz ● Quiz parts: ○ Three warm-up questions (you won’t get point from them) ○ Five questions (for points) ● Remember! ○ The quicker you respond more point you earn ○ Only good answers count  47 Three winners of today’s quiz receives: Free voucher for MuleSoft online training and exam
Lottery ● How it works? ○ I call API that selects randomly three winners among checked-in attendees. ○ I will ask winners by Name & Surname for the email ● Remember! ○ Prize is sponsored by 48 Three winners of today’s lottery receives: Amazon Voucher for 50$
Congratulation ● Congratulation to all the winners ○ of the Quiz ○ of the lottery ● Remember to send your email address to the organizer via chat window! 49
Wrap up
Share your knowledge ● Become a speaker and share your knowledge with our community ● Submit your idea via this form: https://tinyurl.com/become-speaker via email patryk.bandurski@gmail.com or 51
52 ● Share: ○ Tweet using the hashtag #MuleSoftMeetups ○ Invite your network to join: https://meetups.mulesoft.com/warsaw/ ● Feedback: ○ Fill out the survey feedback and suggest topics for upcoming events ○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program What’s next?
See you next time

More Related Content

PPTX
MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validat...
Manish Kumar Yadav
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PPTX
OpenStack Architecture and Use Cases
Jalal Mostafa
 
PDF
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
PPTX
Rabbit MQ introduction
Shirish Bari
 
PPTX
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 
PDF
Json web token
Mayank Patel
 
PDF
Open stack
svm
 
MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validat...
Manish Kumar Yadav
 
OpenId Connect Protocol
Michael Furman
 
OpenStack Architecture and Use Cases
Jalal Mostafa
 
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Rabbit MQ introduction
Shirish Bari
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 
Json web token
Mayank Patel
 
Open stack
svm
 

What's hot (20)

PDF
Introduction to WebSockets Presentation
Julien LaPointe
 
PPTX
Json Web Token - JWT
Prashant Walke
 
PPTX
Secure your app with keycloak
Guy Marom
 
PDF
VPCs, Metrics Framework, Back pressure : MuleSoft Virtual Muleys Meetups
Angel Alberici
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PDF
API Trends & Use Cases
SmartWave
 
PDF
[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹
InfraEngineer
 
PPTX
OAuth 2
ChrisWood262
 
PPTX
NGINX: High Performance Load Balancing
NGINX, Inc.
 
PDF
Linux Networking Explained
Thomas Graf
 
PPTX
Designing Apps for Runtime Fabric: Logging, Monitoring & Object Store Persist...
Eva Mave Ng
 
PPTX
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
JSON Web Token
Deddy Setyadi
 
PDF
An introduction to SSH
nussbauml
 
PDF
Introduction to Docker Compose
Ajeet Singh Raina
 
PDF
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
PPTX
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
PDF
Software Defined Datacenter with Proxmox
GLC Networks
 
PDF
Mastering OpenStack - Episode 01 - Simple Architectures
Roozbeh Shafiee
 
PPTX
Docker Container Security
Suraj Khetani
 
Introduction to WebSockets Presentation
Julien LaPointe
 
Json Web Token - JWT
Prashant Walke
 
Secure your app with keycloak
Guy Marom
 
VPCs, Metrics Framework, Back pressure : MuleSoft Virtual Muleys Meetups
Angel Alberici
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
API Trends & Use Cases
SmartWave
 
[MeetUp][1st] 오리뎅이의_쿠버네티스_네트워킹
InfraEngineer
 
OAuth 2
ChrisWood262
 
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Linux Networking Explained
Thomas Graf
 
Designing Apps for Runtime Fabric: Logging, Monitoring & Object Store Persist...
Eva Mave Ng
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
JSON Web Token
Deddy Setyadi
 
An introduction to SSH
nussbauml
 
Introduction to Docker Compose
Ajeet Singh Raina
 
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Software Defined Datacenter with Proxmox
GLC Networks
 
Mastering OpenStack - Episode 01 - Simple Architectures
Roozbeh Shafiee
 
Docker Container Security
Suraj Khetani
 
Ad

Similar to MuleSoft JWT Demystified (20)

PPTX
Warsaw muleSoft meetup #11 MuleSoft OData
Patryk Bandurski
 
PPTX
Heroku - A ployglot Platform (Add-on)
Ashish Tondare
 
PPTX
Architect Track Heroku - A Polyglot Platform [Architecture & Add-ons]By Ashis...
BLRDEVX
 
PDF
Camille chaudet measure camp-tagguing_mobile_apps_june15_v1.0
measurecampparis
 
PDF
Sydney MuleSoft Meetup #16 - 19 November 2020
Royston Lobo
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
Microservices Security Landscape
Prabath Siriwardena
 
PDF
Microservices Security Landscape
Prabath Siriwardena
 
PPTX
Warsaw MuleSoft Meetup #13.pptx
Patryk Bandurski
 
PDF
Sputnik dlt
Kirill Zheleznov
 
PDF
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
DOCX
Tshepo morailane(resume)
Tshepo Morailane
 
PPTX
Warsaw MuleSoft Meetup #12 Effective Streaming
Patryk Bandurski
 
PDF
Himmelstein SP Connections HAD207 SharePoint Logging & Debugging
Sentri
 
PDF
WebGoat.SDWAN.Net in Depth
yalegko
 
PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
PDF
Docker Monitoring Webinar
Sematext Group, Inc.
 
PDF
Webrtc 동향과 이슈 2016.08
sung young son
 
PDF
Melbourne Virtual MuleSoft Meetup November 2020
Daniel Soffner
 
PPTX
Unleash MuleSoft Platform for Enterprise Healthcare Solutions
Eva Mave Ng
 
Warsaw muleSoft meetup #11 MuleSoft OData
Patryk Bandurski
 
Heroku - A ployglot Platform (Add-on)
Ashish Tondare
 
Architect Track Heroku - A Polyglot Platform [Architecture & Add-ons]By Ashis...
BLRDEVX
 
Camille chaudet measure camp-tagguing_mobile_apps_june15_v1.0
measurecampparis
 
Sydney MuleSoft Meetup #16 - 19 November 2020
Royston Lobo
 
2016 pycontw web api authentication
Micron Technology
 
Microservices Security Landscape
Prabath Siriwardena
 
Microservices Security Landscape
Prabath Siriwardena
 
Warsaw MuleSoft Meetup #13.pptx
Patryk Bandurski
 
Sputnik dlt
Kirill Zheleznov
 
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
Tshepo morailane(resume)
Tshepo Morailane
 
Warsaw MuleSoft Meetup #12 Effective Streaming
Patryk Bandurski
 
Himmelstein SP Connections HAD207 SharePoint Logging & Debugging
Sentri
 
WebGoat.SDWAN.Net in Depth
yalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Docker Monitoring Webinar
Sematext Group, Inc.
 
Webrtc 동향과 이슈 2016.08
sung young son
 
Melbourne Virtual MuleSoft Meetup November 2020
Daniel Soffner
 
Unleash MuleSoft Platform for Enterprise Healthcare Solutions
Eva Mave Ng
 
Ad

More from Patryk Bandurski (17)

PPTX
MuleSoft RTF & Flex Gateway on AKS – Setup, Insights & Real-World Tips
Patryk Bandurski
 
PPTX
CI/CD Practices in MuleSoft – CloudHub 1 vs CloudHub 2
Patryk Bandurski
 
PDF
Warsaw MuleSoft Meetup - Agentforce Community Tour.pdf
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup - Composable Architecture.pptx
Patryk Bandurski
 
PPTX
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup #16 DF Tour.pptx
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup #15 - Hyperautomation with MuleSoft - Composer 101
Patryk Bandurski
 
PPTX
Marketing Cloud integration with MuleSoft
Patryk Bandurski
 
PPTX
MuleSoft CloudHub API Versioning
Patryk Bandurski
 
PPTX
Warsaw mulesoft meetup #9 mastering integration with salesforce
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup #7 - custom policy
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup #6 - CI/CD
Patryk Bandurski
 
PPTX
Mule soft meetup warsaw november 13th, 2019
Patryk Bandurski
 
PDF
MuleSoft approach to the integration - Warsaw MuleSoft Meetup
Patryk Bandurski
 
PPTX
Warsaw MuleSoft Meetup - Runtime Fabric
Patryk Bandurski
 
PPTX
MuleSoft Meetup Warsaw Group DataWeave 2.0
Patryk Bandurski
 
PPTX
MuleSoft Meetup Warsaw Group #1
Patryk Bandurski
 
MuleSoft RTF & Flex Gateway on AKS – Setup, Insights & Real-World Tips
Patryk Bandurski
 
CI/CD Practices in MuleSoft – CloudHub 1 vs CloudHub 2
Patryk Bandurski
 
Warsaw MuleSoft Meetup - Agentforce Community Tour.pdf
Patryk Bandurski
 
Warsaw MuleSoft Meetup - Composable Architecture.pptx
Patryk Bandurski
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
 
Warsaw MuleSoft Meetup #16 DF Tour.pptx
Patryk Bandurski
 
Warsaw MuleSoft Meetup #15 - Hyperautomation with MuleSoft - Composer 101
Patryk Bandurski
 
Marketing Cloud integration with MuleSoft
Patryk Bandurski
 
MuleSoft CloudHub API Versioning
Patryk Bandurski
 
Warsaw mulesoft meetup #9 mastering integration with salesforce
Patryk Bandurski
 
Warsaw MuleSoft Meetup #7 - custom policy
Patryk Bandurski
 
Warsaw MuleSoft Meetup #6 - CI/CD
Patryk Bandurski
 
Mule soft meetup warsaw november 13th, 2019
Patryk Bandurski
 
MuleSoft approach to the integration - Warsaw MuleSoft Meetup
Patryk Bandurski
 
Warsaw MuleSoft Meetup - Runtime Fabric
Patryk Bandurski
 
MuleSoft Meetup Warsaw Group DataWeave 2.0
Patryk Bandurski
 
MuleSoft Meetup Warsaw Group #1
Patryk Bandurski
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KodekX | Application Modernization Development
KodekX
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Advanced IT Governance
University of Hertfordshire
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Cloud computing and distributed systems.
kkkkkhan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

MuleSoft JWT Demystified

  • 1. 06/10/2020 Warsaw MuleSoft Meetup Group JSON Web Token demystified
  • 2. 2 ● Introductions & Community Updates ● Introduction to JWT ● JSON Validation Policy ● Consuming service with JWT validation policy ● Quiz & Lottery ● What’s next & Close Agenda
  • 5. 5 ● Subject Matter Expert at PwC Poland ● MuleSoft Ambassador ● MuleSoft Meetup Leader for Warsaw, Poland ● Working with MuleSoft products for over 8 years now ● One of Salesforce Trailblazers https://trailhead.salesforce.com/trailblazers/patryk-bandurski Organizer / Speaker Check out my integration blog https://ambassadorpatryk.com/blog
  • 6. Share the event 6 ● Share the Meetup in your social media ● Use Hashtags #MuleSoftMeetup #WarsawMuleSoftMeetup Thanks 
  • 8. 8 MuleSoft CONNECT:Now MuleSoft CONNECT:Now is a virtual experience bringing you a full program of technical sessions and content, streamed online for free! Register for free: https://connect.mulesoft.com
  • 9. 9 Developer Meetups at CONNECT:Now events Meet the MuleSoft Community! ● Hear technical use cases from customer and partner MuleSoft experts around the globe ● Live chat with MuleSoft Ambassadors! JOIN ONLINE FOR FREE: EMEA: October 8, 2020 AMER: October 13, 2020 APAC: October 20, 2020 Register: https://connect.mulesoft.com/
  • 10. Check out the technical presentations below: Developer Meetup at CONNECT:Now EMEA ● Twitter ○ Felipe Ocadiz, MuleSoft Ambassador, IT Integration Engineer ○ How to become an Anypoint Studio ninja ● Saint-Gobain ○ Francis Edwards, MuleSoft Ambassador, Integration Analyst ○ Useful integration tools JOIN FOR FREE: October 8, 2020 (10:30am-11:15am BST) Register: https://connect.mulesoft.com/events/connect/emea
  • 11. Check out the technical presentations below: Developer Meetup at CONNECT:Now Americas ● AT&T ○ Brad Ringer, Principal System Engineer ○ MuleSoft Runtime Fabric: The road to success ● MuleSoft Ambassadress ○ Alexandra Martinez, Sr. MuleSoft Developer, Bits in Glass ○ Reviewing a complex DataWeave transformation JOIN FOR FREE: October 13, 2020 (10:30am-11:15am PDT) Register: https://connect.mulesoft.com/events/connect/amer
  • 12. Check out the technical presentations below: Developer Meetup at CONNECT:Now JAPAC ● Datacom ○ Mary Joy Sabal, Sr. Integration Developer ○ Using Maven Archetypes to create MuleSoft API Project Templates ● MuleSoft Ambassador ○ Sravan Lingam, Consultant, Virtusa ○ Create a virtual Tic-Tac-Toe game using Object Store v2 JOIN FOR FREE: October 20, 2020 (2:30pm-3:15pm AEDT) Register: https://connect.mulesoft.com/events/connect/japac
  • 13. 13 Follow Mariana Lemus on LinkedIn
  • 14. MuleSoft Ambassadors ● People to learn from ● Active in the MuleSoft Community ● Worth following ● 20 MuleSoft Ambassadors: https://developer.mules oft.com/dev/ambassado rs 14
  • 15. ● MuleSoft Partner Calendar MuleSoft Partnership ● Free online tutored Development Fundamentals available now! ● Visit Partnership Calendar https://www.mulesoft.com/integration-partner/program/calendar ● Other interesting calendars: 15
  • 17. JSON Web Token „JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.” Auth0 Docs https://tools.ietf.org/html/rfc7515
  • 18. JWS Structure ● JOSE Header ○ Algorithm used to sign ● Payload ○ Claims – statements about caller/user. We have registered claims, public claims and private claims. ● Signature ○ Signed encoded header and payload parts 18
  • 19. Payload part of JWS 19 Claim property Claim name Description Example iss Issuer Issuer of the JWT Me sub Subject Subject of the JWT (the user) Bob aud Audience Recipient for which the JWT is intended https://api.ambassadorpatryk.co m nbf Not Before Time before which the JWT must not be accepted for processing. Unix timestamp. 1516239022 iat Issued At Time at which the JWT was issued; can be used to determine age of the JWT. Unix timestamp. 1516239022 id Id Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once) b32737dc-adb0-4faf-8e38- 7d0478f18a2e exp Expiration Time identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. Unix timestamp. 1516239022
  • 20. Signature base64urlEncoded(Header) + „.” + base64urlEncoded(Payload) 20
  • 22. JWT Validation Policy ● Supports ○ RS256, RS384, RS512 (RSA) ○ HS256, HS384, HS512 (HMAC) ● Supports registered claims and custom claims ● JWT Key ○ Static private value ○ Dynamicaly retrieved from JWKS ● Read more -> https://docs.mulesoft.com/api-manager/2.x/policy-mule4-jwt-validation 22
  • 23. RSA256 with extra validation • Registered claims • Private claims (mandatory, not mandatory) DEMO Setup JWT validation policy
  • 24. [DEMO] JWT Validation Policy Configuration ● Authorization header ● RSA 256 signing algorithm ● Public key static in policy 24
  • 25. [DEMO] JWT Validation Policy Configuration ● Do not validate client id ● Validate audience (aud) ○ Expected values one of ■ pl-lb.anypointdns.com ■ Api.patrykbandurski.com ■ test.patrykbandurski.com ● Expiration (exp) is mandatory ● Apply to all methods and resources 25
  • 26. [DEMO] JWT Validation Policy Generate JWS and place it in authorization header 400 Bad Request – no authorization header 401 Unauthorized – wrong token 26
  • 27. [DEMO] JWT Validation Policy 27 [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Token was parsed successfully. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Ready to validate the signature of the token. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Token signature successfully validated. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 Validating aud claim. [jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG event:d87e0230-064c-11eb-a171-066db5e9ec56 The server did not identify with the any of the audiences '[aapi.patrykbandurski.com].' DEBUG com.mulesoft.extension.policies.jwt on logging
  • 28. [DEMO] JWT Validation Policy 28 ● jwt.io ● Generate token ● Aud, iat, exp ● Public & private key ● Remember! Do not use online tools to generate
  • 29. [DEMO] JWT Validation Policy 29 ● Required and optional private claims ● Static comparison ● Complex expression with DataWeave Required claim email is not present in the JWT. Token will be rejected.
  • 30. [DEMO] JWT Validation Policy 30 ● Non mandatory claims. ○ Validate when claim name prasent ○ Can be complex – DataWeave – example roles is an Array haveing at least one item. Available values are USER, ADMIN or CONTRIBUTOR ○ Refer to claim via vars.claimSet.[claim- name] In case of failed condition, this will be saved in the log file "Condition ... not met"
  • 31. JWKS (JSON Web Keys Set) ● Set of keys contains the public keys used to verify any JWT ● JWK (JSON Web Key) – JSON object representing a cryptographic key ● Rotation of the keys at ease ● Key retrieved dynamically 31
  • 32. JWK { "kty": "RSA", "e": "AQAB", "alg": "RS256", "kid": "uniqueid", "n": "lgyuFifEOODgA4rZP2gQUunm_nM4G5a9aHoLkEosrMPuD4 LClPbke9nn0LUJ4H-M_3rX9- yXhjzhjrduUDcImVMBATN7UsYOxYOZvqUjRf72y1eNjIWMnLBCWB uQZrhqN73ttCOJLg28llI- 65XDfd6qeOlSlGWQD1YSGjX8cHDXoADXOpKrwPZy1ghkJMMtsvFx QNJd8hVvmzPlq-jefOXFOcsBjCB- QQkA3Lty0dScKPKfFQVooZxVhqU_r2wrSvviAdl8pN5yKmhcmT9S 9Ke-mfpJXOnYB9y3Z9xRb0RFQBhrDBLNEc1TDCeRX2RZ- A9pUJ0IbG-b-rFlQYjNOw" } 32
  • 33. Working with JWKS ● Provide url to JWKS – publicly available ● 503 Service Unavailable– JWKS is not accessible ● 401 Unauthorized – signing error 33
  • 34. RSA256 using JSON Web Keys Set DEMO Setup JWT validation policy
  • 35. [DEMO] JWT Validation Policy - JWKS ● JWKS service ● Standard which allows customer to rated public keys 35
  • 36. [DEMO] JWT Validation Policy - JWKS ● URL to JWKS 36
  • 37. [DEMO] JWT Validation Policy - JWKS { "keys": [ { "kty": "RSA", "e": "AQAB", "alg": "RS256", "kid": "uniqueid", "n": "…" } ] } 37 JSON Web Keys Set:
  • 38. Consume 3rd party service with JWT Validation Policy
  • 39. Generating JWS in Mule ● No native support in MuleSoft ● Salesforce OAuth JWT authentication mechanism ● Custom code: ○ JAVA ■ JJWT library https://github.com/jwtk/jjwt ○ Ruby ■ ruby-jwt library https://github.com/jwt/ruby-jwt ● Mule Custom Component: ○ JWT Component Extension https://github.com/dyeeye/jwt-component
  • 40. JJWT sample code JwtBuilder builder = Jwts.builder() // (1) .setIssuer(claims.getIssuer()) // (2) .setSubject(claims.getSubject()) .setAudience(claims.getAudience()) .setNotBefore(claims.getNotBefore()) .setIssuedAt(claims.getIssuedAt()) .setId(claims.getId()); String jws = builder .signWith(privKey, SignatureAlgorithm.valueOf(algorithm)) // (3) .compact(); // (4) 40
  • 41. JWT Component ● Supports signing algorithms ○ RSA 256, 384 and 512 ○ HMAC 256, 384 and 512 ● Claims ○ Registered ○ Private ● Visual support in Anypoint Studio ● Reads keystore from classpath 41
  • 42. Service secured with JWT Validation Policy RSA DEMO Consume service
  • 44. [DEMO] Generating JWT ● Removed expected expiration claim ● 401 in return 44
  • 46. Quiz
  • 47. Trivia Quiz ● Quiz parts: ○ Three warm-up questions (you won’t get point from them) ○ Five questions (for points) ● Remember! ○ The quicker you respond more point you earn ○ Only good answers count  47 Three winners of today’s quiz receives: Free voucher for MuleSoft online training and exam
  • 48. Lottery ● How it works? ○ I call API that selects randomly three winners among checked-in attendees. ○ I will ask winners by Name & Surname for the email ● Remember! ○ Prize is sponsored by 48 Three winners of today’s lottery receives: Amazon Voucher for 50$
  • 49. Congratulation ● Congratulation to all the winners ○ of the Quiz ○ of the lottery ● Remember to send your email address to the organizer via chat window! 49
  • 51. Share your knowledge ● Become a speaker and share your knowledge with our community ● Submit your idea via this form: https://tinyurl.com/become-speaker via email patryk.bandurski@gmail.com or 51
  • 52. 52 ● Share: ○ Tweet using the hashtag #MuleSoftMeetups ○ Invite your network to join: https://meetups.mulesoft.com/warsaw/ ● Feedback: ○ Fill out the survey feedback and suggest topics for upcoming events ○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program What’s next?
  • 53. See you next time