The document summarizes a MuleSoft meetup event about JSON Web Tokens (JWT). The agenda included introductions, an introduction to JWT, a demonstration of a JWT validation policy in MuleSoft, generating JWTs, and a quiz with prizes. The speaker discussed what JWTs are, their structure, common claims, how to validate and consume JWTs using MuleSoft policies, and generating JWTs programmatically or with a custom component.
5. 5
● Subject Matter Expert at PwC Poland
● MuleSoft Ambassador
● MuleSoft Meetup Leader for Warsaw, Poland
● Working with MuleSoft products for over 8 years now
● One of Salesforce Trailblazers
https://trailhead.salesforce.com/trailblazers/patryk-bandurski
Organizer / Speaker
Check out my integration blog
https://ambassadorpatryk.com/blog
6. Share the event
6
● Share the Meetup in your social media
● Use Hashtags
#MuleSoftMeetup
#WarsawMuleSoftMeetup
Thanks
8. 8
MuleSoft CONNECT:Now
MuleSoft CONNECT:Now is a virtual experience bringing you a
full program of technical sessions and content, streamed online
for free!
Register for free: https://connect.mulesoft.com
9. 9
Developer Meetups at CONNECT:Now events
Meet the MuleSoft Community!
● Hear technical use cases from customer and
partner MuleSoft experts around the globe
● Live chat with MuleSoft Ambassadors!
JOIN ONLINE FOR FREE:
EMEA: October 8, 2020
AMER: October 13, 2020
APAC: October 20, 2020
Register: https://connect.mulesoft.com/
10. Check out the technical presentations below:
Developer Meetup at CONNECT:Now EMEA
● Twitter
○ Felipe Ocadiz, MuleSoft Ambassador, IT Integration Engineer
○ How to become an Anypoint Studio ninja
● Saint-Gobain
○ Francis Edwards, MuleSoft Ambassador, Integration Analyst
○ Useful integration tools
JOIN FOR FREE: October 8, 2020 (10:30am-11:15am BST)
Register: https://connect.mulesoft.com/events/connect/emea
11. Check out the technical presentations below:
Developer Meetup at CONNECT:Now Americas
● AT&T
○ Brad Ringer, Principal System Engineer
○ MuleSoft Runtime Fabric: The road to success
● MuleSoft Ambassadress
○ Alexandra Martinez, Sr. MuleSoft Developer, Bits in Glass
○ Reviewing a complex DataWeave transformation
JOIN FOR FREE: October 13, 2020 (10:30am-11:15am PDT)
Register: https://connect.mulesoft.com/events/connect/amer
12. Check out the technical presentations below:
Developer Meetup at CONNECT:Now JAPAC
● Datacom
○ Mary Joy Sabal, Sr. Integration Developer
○ Using Maven Archetypes to create MuleSoft API Project Templates
● MuleSoft Ambassador
○ Sravan Lingam, Consultant, Virtusa
○ Create a virtual Tic-Tac-Toe game using Object Store v2
JOIN FOR FREE: October 20, 2020 (2:30pm-3:15pm AEDT)
Register: https://connect.mulesoft.com/events/connect/japac
14. MuleSoft Ambassadors
● People to learn from
● Active in the MuleSoft
Community
● Worth following
● 20 MuleSoft
Ambassadors:
https://developer.mules
oft.com/dev/ambassado
rs
14
15. ● MuleSoft Partner Calendar
MuleSoft Partnership
● Free online tutored Development Fundamentals available now!
● Visit Partnership Calendar https://www.mulesoft.com/integration-partner/program/calendar
● Other interesting calendars:
15
17. JSON Web Token
„JSON web token (JWT), pronounced "jot", is an
open standard (RFC 7519) that defines a
compact and self-contained way for securely
transmitting information between parties as a
JSON object. Again, JWT is a standard, meaning
that all JWTs are tokens, but not all tokens are
JWTs.” Auth0 Docs
https://tools.ietf.org/html/rfc7515
18. JWS Structure
● JOSE Header
○ Algorithm used to sign
● Payload
○ Claims – statements about caller/user. We have registered claims, public claims and
private claims.
● Signature
○ Signed encoded header and payload parts
18
19. Payload part of JWS
19
Claim
property
Claim name Description Example
iss Issuer Issuer of the JWT Me
sub Subject Subject of the JWT (the user) Bob
aud Audience Recipient for which the JWT is intended https://api.ambassadorpatryk.co
m
nbf Not Before Time before which the JWT must not be accepted for
processing. Unix timestamp.
1516239022
iat Issued At Time at which the JWT was issued; can be used to
determine age of the JWT. Unix timestamp.
1516239022
id Id Unique identifier; can be used to prevent the JWT
from being replayed (allows a token to be used only
once)
b32737dc-adb0-4faf-8e38-
7d0478f18a2e
exp Expiration Time identifies the expiration time on
or after which the JWT MUST NOT be accepted for
processing. Unix timestamp.
1516239022
25. [DEMO] JWT Validation Policy
Configuration
● Do not validate client id
● Validate audience (aud)
○ Expected values one of
■ pl-lb.anypointdns.com
■ Api.patrykbandurski.com
■ test.patrykbandurski.com
● Expiration (exp) is mandatory
● Apply to all methods and resources
25
26. [DEMO] JWT Validation Policy
Generate JWS and place it in authorization header
400 Bad Request – no authorization header
401 Unauthorized – wrong token
26
27. [DEMO] JWT Validation Policy
27
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 Token was parsed successfully.
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 Ready to validate the signature of the token.
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 Token signature successfully validated.
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 Validating aud claim.
[jwt-validation-1111044-sfdc-jwt-xapi-main].1111044-client-id-enforcementDEBUG
event:d87e0230-064c-11eb-a171-066db5e9ec56 The server did not identify with the any of the
audiences '[aapi.patrykbandurski.com].'
DEBUG com.mulesoft.extension.policies.jwt on logging
28. [DEMO] JWT Validation Policy
28
● jwt.io
● Generate token
● Aud, iat, exp
● Public & private
key
● Remember! Do
not use online
tools to generate
29. [DEMO] JWT Validation Policy
29
● Required and optional
private claims
● Static comparison
● Complex expression with
DataWeave
Required claim email is not present in the JWT. Token will be rejected.
30. [DEMO] JWT Validation Policy
30
● Non mandatory claims.
○ Validate when claim name prasent
○ Can be complex – DataWeave – example
roles is an Array haveing at least one item.
Available values are USER, ADMIN or
CONTRIBUTOR
○ Refer to claim via vars.claimSet.[claim-
name]
In case of failed condition, this will be saved in the log file "Condition ... not
met"
31. JWKS (JSON Web Keys Set)
● Set of keys contains the public keys
used to verify any JWT
● JWK (JSON Web Key) – JSON
object representing a cryptographic
key
● Rotation of the keys at ease
● Key retrieved dynamically
31
33. Working with JWKS
● Provide url to JWKS – publicly available
● 503 Service Unavailable– JWKS is not accessible
● 401 Unauthorized – signing error
33
47. Trivia Quiz
● Quiz parts:
○ Three warm-up questions (you won’t get point from
them)
○ Five questions (for points)
● Remember!
○ The quicker you respond more point you earn
○ Only good answers count
47
Three winners of today’s
quiz receives:
Free voucher for MuleSoft
online training and exam
48. Lottery
● How it works?
○ I call API that selects randomly three winners
among checked-in attendees.
○ I will ask winners by Name & Surname for the
email
● Remember!
○ Prize is sponsored by
48
Three winners of today’s
lottery receives:
Amazon Voucher for 50$
49. Congratulation
● Congratulation to all the winners
○ of the Quiz
○ of the lottery
● Remember to send your email
address to the organizer via chat
window!
49
51. Share your knowledge
● Become a speaker and share your knowledge with our community
● Submit your idea via this form:
https://tinyurl.com/become-speaker
via email patryk.bandurski@gmail.com
or
51
52. 52
● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Invite your network to join: https://meetups.mulesoft.com/warsaw/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
What’s next?