How to secure an HTTP Service in IBM ACE using OAuth JWT ???

In my last post of Securing a Web Application using Basic Auth leveraging the IBM ACE Policies, I was asked about securing Application with OAuth. Although API Managers like IBM API Connect, 谷歌 APIGEE, Kong Inc. , Tyk etc. majorly handles the security of the APIs, it is worth learning!

?? How did this idea land:

Thoroughly explored MuleSoft Anypoint Platform with policies, especially the JWT Policy. Big thanks to Jitendra Bafna ???? Authored MuleSoft Platform Architect's Guide , your videos helped me understand majority of the concepts. Video Links: ??Enforcing MuleSoft JWT Validation Policy using API Manager API ?? OAuth2 : Authorize the MuleSoft API Using OKTA

The implementation relies on Java Nimbus-Jose-JWT. ?? Documentation ?? Repository

Helpful resource for JWT overview: ?? Document by Aram Tchekrekjian

? Policy Builder (WebGUI):

The JWT Policy is built using UserDefined Policy. Creating/editing UserDefined Policies are error prone. Hence created a small WebUI (design inspired from JWT Policy on MuleSoft Anypoint Platform, themed on IBM App Connect Enterprise Web UI)

?? Access the Policy Builder WebGUI here!!

?? Things I did:

• Created Policy with customized key-value pairs for configuring the validation
• Saved (multiple) policies in a Policy Project
• Created a subflow which uses JCN (library used - Nimbus-JOSE-JWT)
• The subflow is created as a part of Library for reusability
• Created a JWT Provider (wanted better grip on JWT creation)
• Created a JWT Testing app using the subflow mentioned above
• Did manual testing and wrote automated testing script on Postman
• Detailed documentation for the feature with test results

? Success! The service now requires a valid signed JWT.

?? Code is available on my ?? GitHub Repo

? Priya Shaw , Aakanksha Gupta , Sneha Bobade , Gireesh Kolli , Anjali Kumari , AVIJIT MONDAL , Avinash Arepaka , Yasharah Mirza , Deepika Ramesh Babu , Shivam G - you might find this interesting!

Tagging #Leaders for wider reach:

Karen Broughton-Mabbitt Ben Thompson Matt Roberts Sanjay Nagchowdhury Richard Huegill Girish Kumar Maganti Nagaraja Kalyan Chakravarthy Nemani Sandip Kulkarni Saravanakumar Swajai Purush Yeshwant Patodia Prashanth Sonnad Math (Y) Gurbachan Singh ANANDA JOARDAR ANIruddha Mukherjee Sravan Lingam

I hope MuleSoft Community will not hate me for taking references from their Anypoint Portal or documentation ??

?? Complete Documentation of JWT Implementation and Testing

#apisecurity?#oauth2 #jwt #ibm #appconnect?#appconnectenterprises?#IntegrationBus #mulesoft #security?#leaders?#developers