Author: Ujala Kumar Yadav
This blog describes the process of creating JWT using the JWT Sign Module in MuleSoft.
JSON Web Token:
JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
JSON Web Token Structure:
JSON Web Token consist of three parts separated by dots (.), which are:
- Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used.
- Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.
Do note that for signed tokens this information, though protected against tampering, is readable by anyone. Do not put secret information in the payload or header elements of a JWT unless it is encrypted.
- Signature: To create the signature part you have to take the Base64-URL encoded header, the Base64-URL encoded payload, a private key, the algorithm specified in the header, and sign that.
The following shows a JWT that has the previous header and payload encoded, and it is signed with a private key:
On several occasions we need to create JWT in Mule applications to authorize our APIS with the target systems. To-date, generating a signed JWT involves writing code, sometimes in DataWeave or Java, that completes the tasks of:
- Encoding the JSON-formatted header information
- Encoding the JSON-formatted payload information
- Constructing the signature by applying a cryptographic algorithm
- Combining the results into a Base64url encoded final result
MuleSoft JWT Sign Module simplifies this task, and removes the need for any coding effort.
Deploying to Exchange:
Deploy the module to AnyPoint Exchange, to make it available within your organization exchange using below steps:
- Add connected app client_id and client_secret in your settings.xml file for authentication:
Note: Make sure the server ID is the same in both pom.xml and settings.xml file and connected app has an exchange contributor role.
Refer link for more information on connected app authentication: https://apisero.com/connected-app-in-anypoint-platform/
- Clone below repository to your local machine.
- Open a terminal window, and navigate to the root directory of the repository.
- Execute the following command in your terminal window, replacing <YOUR_ORG_ID> with your AnyPoint Platform Organization ID.
This will publish the JWT connector to your organization exchange.
- Copy the dependency snippet from exchange and add it to your project’s pom.xml dependencies section.
- Once added as dependency in pom.xml, JWT connector will be available in Mule pallet:
- Add the Sign connector to your Mule flow.
- Specify the JSON-formatted header and payload parts of JWT in Sign connector:
- Add module configuration for Sign connector:
- Click on the add icon to create a new configuration.
- Select the signature algorithm from the drop down, eg: RS256.
- Enter the location of the private key file.
- Enter the passphrase that was used to encrypt the private key. Leave it empty in case of an unencrypted private key.
- Run the application and it will generate a JWT.
- Verify the generated JWT using public key:
This JWT module simplifies the process of generating JWT by removing coding efforts on DataWeave or Java. The generated JWT can be used as a Bearer token for authorization in subsequent http requests.