These artifacts are for APIC v10 and v2018.
The artifacts showcase specific samples for IBM API Connect Global Policies and IBM API Connect User-Defined Policies (Custom Policies). 2 separate policies.
The extract-clientid-global-policy.yaml APIC Global Policy is a pre-flow policy, which will:
- Take the requestor's inbound JWT and Base64 decode.
- Extract the apicid and KID (key-ID) value from the decoded JWT.
- Then set the apicid to the client_id header for downstream processing on the APIC API, and set KID (Key-ID) value to a variable to be used downstream as well.
The validate-kid-udp.zip APIC User-Defined Policy is an Assemble policy, which each API requiring this specific security mechinism will use, which will:
- Take the set KID variable from the extract-clientid-global-policy (the clientid and key-id from above) and validate the list of KIDs from the response of the keystore which URL points to.
NOTE: This User-Defined policy has very specific needs, as it show cases how to call out to another system, parse through the response, and match a certain value (the KID in this case) with the value from the request to validate against. Although, you can update the code within the User-Defined Policy zip to validate whatever you need, and it does not have to be that elaborate (calling out to another system).
The global policy and custom policy allows for an API (published on IBM API Connect) capable of handing both:
- An authorization header (token) validation: to validate the client_id (from the global policy) and validate the Key-Id in the token (from the custom policy).
or - (Internal API callers) a client_id and client_secret validation will take place without key-id validation.
NOTE: The inbound client_id and client_secret field can be set to something different, like X-IBM-Client-Id, clientid, or etc., but it has to be updated in the extract-clientid-global-policy.yaml.
Next:
User-Defined Policy: Validate KID --> Deploy, use, and remove
Global Policy: Decode JWT and Extract client_ID --> Deploy, and remove