MuleSoft JWT Demystified

06/10/2020
Warsaw MuleSoft Meetup Group
JSON Web Token demystified

2
● Introductions & Community Updates
● Introduction to JWT
● JSON Validation Policy
● Consuming service with JWT validation policy
● Quiz & Lottery
● What’s next & Close
Agenda

5
● Subject Matter Expert at PwC Poland
● MuleSoft Ambassador
● MuleSoft Meetup Leader for Warsaw, Poland
● Working with MuleSoft products for over 8 years now
● One of Salesforce Trailblazers
https://trailhead.salesforce.com/trailblazers/patryk-bandurski
Organizer / Speaker
Check out my integration blog
https://ambassadorpatryk.com/blog

Share the event
6
● Share the Meetup in your social media
● Use Hashtags
#MuleSoftMeetup
#WarsawMuleSoftMeetup
Thanks 

MuleSoft Connect:Now
Community Updated

8
MuleSoft CONNECT:Now
MuleSoft CONNECT:Now is a virtual experience bringing you a
full program of technical sessions and content, streamed online
for free!
Register for free: https://connect.mulesoft.com

9
Developer Meetups at CONNECT:Now events
Meet the MuleSoft Community!
● Hear technical use cases from customer and
partner MuleSoft experts around the globe
● Live chat with MuleSoft Ambassadors!
JOIN ONLINE FOR FREE:
EMEA: October 8, 2020
AMER: October 13, 2020
APAC: October 20, 2020
Register: https://connect.mulesoft.com/

Check out the technical presentations below:
Developer Meetup at CONNECT:Now EMEA
● Twitter
○ Felipe Ocadiz, MuleSoft Ambassador, IT Integration Engineer
○ How to become an Anypoint Studio ninja
● Saint-Gobain
○ Francis Edwards, MuleSoft Ambassador, Integration Analyst
○ Useful integration tools
JOIN FOR FREE: October 8, 2020 (10:30am-11:15am BST)
Register: https://connect.mulesoft.com/events/connect/emea

Developer Meetup at CONNECT:Now Americas
● AT&T
○ Brad Ringer, Principal System Engineer
○ MuleSoft Runtime Fabric: The road to success
● MuleSoft Ambassadress
○ Alexandra Martinez, Sr. MuleSoft Developer, Bits in Glass
○ Reviewing a complex DataWeave transformation
JOIN FOR FREE: October 13, 2020 (10:30am-11:15am PDT)
Register: https://connect.mulesoft.com/events/connect/amer

Developer Meetup at CONNECT:Now JAPAC
● Datacom
○ Mary Joy Sabal, Sr. Integration Developer
○ Using Maven Archetypes to create MuleSoft API Project Templates
● MuleSoft Ambassador
○ Sravan Lingam, Consultant, Virtusa
○ Create a virtual Tic-Tac-Toe game using Object Store v2
JOIN FOR FREE: October 20, 2020 (2:30pm-3:15pm AEDT)
Register: https://connect.mulesoft.com/events/connect/japac

13
Follow Mariana Lemus on
LinkedIn

MuleSoft Ambassadors
● People to learn from
● Active in the MuleSoft
Community
● Worth following
● 20 MuleSoft
Ambassadors:
https://developer.mules
oft.com/dev/ambassado
rs
14

● MuleSoft Partner Calendar
MuleSoft Partnership
● Free online tutored Development Fundamentals available now!
● Visit Partnership Calendar https://www.mulesoft.com/integration-partner/program/calendar
● Other interesting calendars:
15

Introduction
JSON Web Token Demystyfied

JSON Web Token
„JSON web token (JWT), pronounced "jot", is an
open standard (RFC 7519) that defines a
compact and self-contained way for securely
transmitting information between parties as a
JSON object. Again, JWT is a standard, meaning
that all JWTs are tokens, but not all tokens are
JWTs.” Auth0 Docs
https://tools.ietf.org/html/rfc7515

JWS Structure
● JOSE Header
○ Algorithm used to sign
● Payload
○ Claims – statements about caller/user. We have registered claims, public claims and
private claims.
● Signature
○ Signed encoded header and payload parts
18

Payload part of JWS
19
Claim
property
Claim name Description Example
iss Issuer Issuer of the JWT Me
sub Subject Subject of the JWT (the user) Bob
aud Audience Recipient for which the JWT is intended https://api.ambassadorpatryk.co
m
nbf Not Before Time before which the JWT must not be accepted for
processing. Unix timestamp.
1516239022
iat Issued At Time at which the JWT was issued; can be used to
determine age of the JWT. Unix timestamp.
1516239022
id Id Unique identifier; can be used to prevent the JWT
from being replayed (allows a token to be used only
once)
b32737dc-adb0-4faf-8e38-
7d0478f18a2e
exp Expiration Time identifies the expiration time on
or after which the JWT MUST NOT be accepted for
processing. Unix timestamp.
1516239022

Signature
base64urlEncoded(Header) + „.” +
base64urlEncoded(Payload)
20

JWT Validation Policy
● Supports
○ RS256, RS384, RS512 (RSA)
○ HS256, HS384, HS512 (HMAC)
● Supports registered claims and custom claims
● JWT Key
○ Static private value
○ Dynamicaly retrieved from JWKS
● Read more -> https://docs.mulesoft.com/api-manager/2.x/policy-mule4-jwt-validation
22

RSA256 with extra validation
• Registered claims
• Private claims (mandatory, not mandatory)
DEMO
Setup JWT validation policy

[DEMO] JWT Validation Policy
Configuration
● Authorization header
● RSA 256 signing algorithm
● Public key static in policy
24

Configuration
● Do not validate client id
● Validate audience (aud)
○ Expected values one of
■ pl-lb.anypointdns.com
■ Api.patrykbandurski.com
■ test.patrykbandurski.com
● Expiration (exp) is mandatory
● Apply to all methods and resources
25

Generate JWS and place it in authorization header
400 Bad Request – no authorization header
401 Unauthorized – wrong token
26

27
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 Token was parsed successfully.
event:d87e0230-064c-11eb-a171-066db5e9ec56 Ready to validate the signature of the token.
event:d87e0230-064c-11eb-a171-066db5e9ec56 Token signature successfully validated.
event:d87e0230-064c-11eb-a171-066db5e9ec56 Validating aud claim.
event:d87e0230-064c-11eb-a171-066db5e9ec56 The server did not identify with the any of the
audiences '[aapi.patrykbandurski.com].'
DEBUG com.mulesoft.extension.policies.jwt on logging

28
● jwt.io
● Generate token
● Aud, iat, exp
● Public & private
key
● Remember! Do
not use online
tools to generate

29
● Required and optional
private claims
● Static comparison
● Complex expression with
DataWeave
Required claim email is not present in the JWT. Token will be rejected.

30
● Non mandatory claims.
○ Validate when claim name prasent
○ Can be complex – DataWeave – example
roles is an Array haveing at least one item.
Available values are USER, ADMIN or
CONTRIBUTOR
○ Refer to claim via vars.claimSet.[claim-
name]
In case of failed condition, this will be saved in the log file "Condition ... not
met"

JWKS (JSON Web Keys Set)
● Set of keys contains the public keys
used to verify any JWT
● JWK (JSON Web Key) – JSON
object representing a cryptographic
key
● Rotation of the keys at ease
● Key retrieved dynamically
31

JWK
{
"kty": "RSA",
"e": "AQAB",
"alg": "RS256",
"kid": "uniqueid",
"n": "lgyuFifEOODgA4rZP2gQUunm_nM4G5a9aHoLkEosrMPuD4
LClPbke9nn0LUJ4H-M_3rX9-
yXhjzhjrduUDcImVMBATN7UsYOxYOZvqUjRf72y1eNjIWMnLBCWB
uQZrhqN73ttCOJLg28llI-
65XDfd6qeOlSlGWQD1YSGjX8cHDXoADXOpKrwPZy1ghkJMMtsvFx
QNJd8hVvmzPlq-jefOXFOcsBjCB-
QQkA3Lty0dScKPKfFQVooZxVhqU_r2wrSvviAdl8pN5yKmhcmT9S
9Ke-mfpJXOnYB9y3Z9xRb0RFQBhrDBLNEc1TDCeRX2RZ-
A9pUJ0IbG-b-rFlQYjNOw"
}
32

Working with JWKS
● Provide url to JWKS – publicly available
● 503 Service Unavailable– JWKS is not accessible
● 401 Unauthorized – signing error
33

RSA256 using JSON Web Keys Set
DEMO
Setup JWT validation policy

[DEMO] JWT Validation Policy - JWKS
● JWKS service
● Standard which allows customer
to rated public keys
35

● URL to JWKS
36

{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"alg": "RS256",
"kid": "uniqueid",
"n": "…"
}
]
}
37
JSON Web Keys Set:

Consume 3rd party service with
JWT Validation Policy

Generating JWS in Mule
● No native support in MuleSoft
● Salesforce OAuth JWT authentication mechanism
● Custom code:
○ JAVA
■ JJWT library https://github.com/jwtk/jjwt
○ Ruby
■ ruby-jwt library https://github.com/jwt/ruby-jwt
● Mule Custom Component:
○ JWT Component Extension https://github.com/dyeeye/jwt-component

JJWT sample code
JwtBuilder builder = Jwts.builder() // (1)
.setIssuer(claims.getIssuer()) // (2)
.setSubject(claims.getSubject())
.setAudience(claims.getAudience())
.setNotBefore(claims.getNotBefore())
.setIssuedAt(claims.getIssuedAt())
.setId(claims.getId());
String jws = builder
.signWith(privKey, SignatureAlgorithm.valueOf(algorithm)) // (3)
.compact(); // (4)
40

JWT Component
● Supports signing algorithms
○ RSA 256, 384 and 512
○ HMAC 256, 384 and 512
● Claims
○ Registered
○ Private
● Visual support in Anypoint Studio
● Reads keystore from classpath
41

Service secured with JWT Validation Policy RSA
DEMO
Consume service

[DEMO] Generating JWT
● Removed expected expiration claim
● 401 in return
44

Trivia Quiz
● Quiz parts:
○ Three warm-up questions (you won’t get point from
them)
○ Five questions (for points)
● Remember!
○ The quicker you respond more point you earn
○ Only good answers count 
47
Three winners of today’s
quiz receives:
Free voucher for MuleSoft
online training and exam

Lottery
● How it works?
○ I call API that selects randomly three winners
among checked-in attendees.
○ I will ask winners by Name & Surname for the
email
● Remember!
○ Prize is sponsored by
48
Three winners of today’s
lottery receives:
Amazon Voucher for 50$

Congratulation
● Congratulation to all the winners
○ of the Quiz
○ of the lottery
● Remember to send your email
address to the organizer via chat
window!
49

Share your knowledge
● Become a speaker and share your knowledge with our community
● Submit your idea via this form:
https://tinyurl.com/become-speaker
via email patryk.bandurski@gmail.com
or
51

52
● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Invite your network to join: https://meetups.mulesoft.com/warsaw/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
What’s next?

MuleSoft JWT Demystified

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a MuleSoft JWT Demystified

Similar a MuleSoft JWT Demystified (20)

Más de Patryk Bandurski

Más de Patryk Bandurski (13)

Último

Último (20)

MuleSoft JWT Demystified