Hi Thivya, To check the JWT is get altered or not, you need to do a signature verification. Please refer articles.
[1] https://jwt.io/introduction/ <https://jwt.io/introduction/> [2] http://sanjeewamalalgoda.blogspot.com/2015/05/wso2-api-manager-decode-jwt-in-esb.html [3] http://xacmlinfo.org/2015/03/19/validate-and-process-jwt-tokens-with-java/ Thanks and Best Regards, Saneth Dharmakeerthi *Associate Technical Lead* WSO2, Inc. Mobile: +94772325511 <http://wso2.com/signature> On Thu, Nov 23, 2017 at 11:10 AM, Thivya Mahenthirarasa <thi...@wso2.com> wrote: > Hi Dev, > > I'm transferring some attributes by the claims of *JSON Web Token (JWT) *from > the end user(APIM210) to my backend(ESB500) by following the wos2 doc[1]. > > And I have used Base64Utils to decode the head attributes and received the > needed attribute at the synapse level of the ESB(backend). The piece of > codes is as follows. > > But I feel not satisfied that it's not a secure way as this encoding and > decoding can be modified by the third party in during the communication. > > Could you help in suggesting ideas in achieving the validation to be done > in ESB level(decoding should be done in ESB level )? > > > String jwt_assertion = (String) headers.get("x-jwt-assertion"); //the header > element from jwt > > String [] jwt_assertion_items = jwt_assertion.split("\\."); > > byte[] byteArray = Base64Utils.decode(jwt_assertion_items[1]); // retrieve > the JWT payload > > > > [1] https://docs.wso2.com/display/AM200/Passing+Enduser+ > Attributes+to+the+Backend+Using+JWT#PassingEnduserAttributestotheB > ackendUsingJWT-ChangingtheJWTencodingtoBase64URLencoding > > > Thanks in advance > > > > Regards, > Thivya > -- > > *Thivya Mahenthirarasa* > > *Software Engineer -Support Team | WSO2* > > > *Email: thi...@wso2.com <thi...@wso2.com>* > > *Mobile: +94766461966 <+94%2076%20646%201966> <http://wso2.com/signature>* > *Web: http://wso2.com <http://wso2.com>* > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev