cancel
Showing results for 
Search instead for 
Did you mean: 

SAP API Management policy "Verify JWT"

raffinkira
Participant
0 Kudos
954

Hi all,

I am using policy "Verify JWT" and have a question about how to get JWT in HTTP request.

If I set <Source>request.header.xxx</Source> in policy, and I set JWT in xxx in request header, it wokrs.

But what if JTW is set like "Bearer KJD2uiKJ98Hkjhh2773d", in header Authorization?

"KJD2uiKJ98Hkjhh2773d" is my JWT but it begins with "Bearer", how can I get an verify in this case?

Accepted Solutions (1)

Accepted Solutions (1)

divyamary
Advisor
Advisor
0 Kudos

Hi Ming,

Sharing a blog series on JWT token validation https://blogs.sap.com/2019/09/02/part-1-modeling-the-jwt-token-verification-flows-in-sap-cloud-platf... .

You can use the Source element of VerifyJWT token policy to provide the source of your JWT token. If Source is not present, VerifyJWT token policy will read the JWT token from the HTTP header named authorization , with the token passed in the format Bear xxxxxx

Thanks and Best Regards,

Divya

raffinkira
Participant
0 Kudos

Hi, Divya, thanks for the reply, yes, I have tried and by default, policy would check authorization in header.

But what if I don't know where JWT was set in request, how can I find it in API management?

Is there some tools by which I can see the request object? I have used debug tool but looks like I cannot see request data there.

Answers (1)

Answers (1)

divyamary
Advisor
Advisor
0 Kudos

Hi Ming,

By default incoming request headers or payload is not logged in SAP Cloud Platform API Management. To see the incoming request headers, you would have to use a JS policy and loop through all the headers using context variable request.headers.

Thanks and Best Regards,

Divya

raffinkira
Participant
0 Kudos

Thanks for the hint. I think in debug I can see header, but not body.

I would take a look at JS policy you mentioned afterwards, thank you.