Extracting JWT claims using a custom class mediator

There might be instances where we need to extract the information coming in a JWT assertion inside our mediation sequences in order to do further manipulations. Since there is no out of the box mediator supported for this task we need to write our own custom class mediator in order to achieve it.

This blog describes how you can create a custom class mediator which extracts the JWT token coming in from WSO2 API Manager inside a custom mediation sequence inside the WSO2 micro integrator.

Below is a deployment diagram which depicts the setup I am using for this sample. An API hosted in the WSO2 API Manager uses an API exposed through the micro integrator as it’s backend service. In the custom orchestration of this backend service it is required to extract the name of the person who invoked the API through the API Manager using the information stored in the JWT token.

Let’s get started

1. Setup WSO2 API Manager and WSO2 Micro Integrator. I will call the two installation directories as APIM_HOME and MI_HOME
2. Enable JWT in the API Manager following this guide.
3. Checkout the repository from here and navigate to the location REPO_HOME/class-mediator-sample/class-mediator/jwt-decode-mediator-master.
4. Run a mvn clean install command in this location and then navigate to the target folder where you will find a component named “wso2-jwt-decode-mediator-1.0.jar”
5. Copy over that jar file to MI_HOME/lib folder. This is the component which will deploy the custom class mediator.
6. Now we need to call this class mediator from inside the sequence. Deploy the carbon application which consists of a custom sequence which calls this class using a class mediator and also the API which uses this custom sequence as it’s orchestration flow.
7. This is how the orchestration works in this sample.

7.1 The JWT header is extracted from the header called “X-JWT-Assertion” and saved to a property mediator. This header is sent over by WSO2 API Manager to the Micro Integrator when making API requests.

7.2 Next our custom class mediator is called and this JWT header property is retrieved inside the class mediator’s implementation in order to extract the username from the claims included in the JWT token.

7.3 Then the username from the decoded JWT is set to a new property called “apim-enduser” through the class mediator. This new property is used to populate the “name” value in the response payload which is returned back to the user. This value set inside the class mediator can be extracted through our custom sequence.

8. You can find the carbon application corresponding to the above scenario from here. You need to deploy this .car file to the folder location MI_HOME/repository/deployment/carbonapps/.

9. Once this is completed you need to restart your Micro integrator server. If you have not changed the port offsets of the micro integrator server then this backend service API endpoint will be accessible using the URL http://localhost:8290/customer-mgt

10. Now create an API in WSO2 API Manager with a “GET” resource named “/customer” in order to try out this use case. Provide the backend endpoint as http://localhost:8290/customer-mgt. If you’re new to WSO2 API Manager, you can refer this on creating a new API. Save and publish you API. You can find the API which I created here.

11. Next subscribe and invoke this API. Here you will see the API Manager’s application owner’s name appearing in the response payload coming from Micro integrator similar to below.

12. You will also notice two log lines on the micro integrator’s carbon log file similar to the one below when a request from the API Manager is made.

INFO {JwtDecodeMediator} — Printing the enduser coming from the APIM JWT token admin@carbon.super`

INFO {LogMediator} — {api:Customer} APIM_END_USER = admin@carbon.super

That’s how simply you can extract JWT claims inside micro integrator using a custom class mediator.