JWT Validation

To support validation of the JWT present in the incoming requests for invoking Oracle Integration flows, use the JWT_VALIDATION managed security policy. You can customize the security policy as needed for a connection definition.

Overview

The policy validates JWT claims and signature, and asserts the user against Oracle Cloud Infrastructure Identity and Access Management (IAM). Many webhook publisher applications send a JWT token with signatures. Third-party providers issue the token.

Oracle uses IAM to authenticate requests for invoking integrations. The policy opens the incoming JWT token, extracts the JWT claim from the token, extracts the user from the JWT claim, and determines whether the user exists in IAM and has the ServiceInvoker role. If the user is valid and authorized, access is allowed.

To add the JWT Validation policy to your document, use the available authentication scheme template. See Implement a New Connection Definition.

Security Properties

A connection definition that uses this security policy defines the following properties in the securityProperties section. See Connection Properties and Sample Code.

The values in the name, displayName, shortDescription, and description columns list the default values that appear when you insert a security policy into an adapter definition document. You can update these values if needed.

name displayName shortDescription description Data type Required Recommendation

jwtToken

JWT Token

Example:

${.request.headers.authorization}

JQ Expression or Flow to extract Signing String.

String

Yes

"hidden":true

signatureKey

JWK URL

Example:

http:://host_port/context/jwk

Signature key alias or shared secret or JWK location or JQ/flow that returns JSON array with first entry as RSA certificate contents.

Text/JQ/Flow

String

Yes

N/A

subjectClaim

Subject claim Override.

Example: user

Optional, Tex or JQ. Output is claim name. Default "sub".

String

No

"hidden":true

customClaimsValidation

Custom Claims Validation

Example: ${{\"scope\":\"write\"}}

Optional. JQ or flow to validate additional claims. Output is JsonNode with claim name and expected value.

String

No

"hidden":true

Sample Code: JWT Validation

The following sample code shows the configuration of JWT validation. Keep in mind the following points about this code sample:

  • The security policy extracts the JWT token from the authorization header: .request.headers.authorization|split(\" \")|.[1]

  • The security policy obtains the signature key from the the signatureKey property.

    This key resolve to the alias JWK URL of the JWT issuer, such as "https://www.demosvc.com/oauth2/v3/certs"

  • The policy validates only the standard JWT claims and doesn't validate any custom claims.

  • This policy uses the default subject claim, without any overrides.

{
 "connection": {
     
    "securityPolicies": [
       {
            "type": "managed",
            "policy": "JWT_VALIDATION",
            "scope": "TRIGGER", 
            "securityProperties": [
                {
                    "name": "jwtToken",
                    "displayName": "JWT Token",
                    "hidden": true,
                    "required": true,
                    "default": "${.request.headers.authorization|split(\" \")|.[1]}"
                },
                {
                    "name": "signatureKey",
                    "displayName": "JWK URL",
                    "hidden": true,
                    "required": true,
                    "default": "https://www.demosvc.com/oauth2/v3/certs"
                },
                 {
                    "name": "subjectClaim",
                    "displayName": "Subject claim Override",
                    "hidden": true,
                    "required": false,
                    "default": ""
                },
                {
                    "name": "customClaimsValidation",
                    "displayName": "Custom Claims Validation",
                    "hidden": true,
                    "required": false,
                    "default": ""
                }
            ]
        }
    ]
  }
}