How to Test JWT caching in WSO2 API Manager

How to Test JWT caching in API Manager

Before get in to this post (http://ushanib.blogspot.com/2013/03/how-to-test-values-in-oauth2-token.html) should be referred to know the steps to enable JWT token.

When you enable JWT token in a distributed set up you should enable it in publisher node and the key manager node.
This is enabled in publisher node because to change the API template accordingly.
Enable in keymanager node : To cache it in keymanager

But when you enable caching you will have to enable it only in the key manager node.

Steps:

=====

1. First you need to enable JWT token as explained in this post. 
2. To enable Caching you need to set “true” in the following parameter in the api-manager.xml in <AM_Home>/repository/conf.
   <EnableJWTCache>true</EnableJWTCache>

To Test :

======

1. First without the caching enabled you can vie the results as explained in the post mentioned.
   
   
2. Then to go to your My Application page as given in the below screenshot and edit the application name that you have subscribed to. E.g., In the above mentioned post, subscription is done to DefaultApplication. You can change the name of it as app1.
   
   
   
   
   
   
   
   
   
3. Then send a API call request and follow the steps 11 to 15 as given in this post.
   
   
4. You will see the changed app name fter decoding the encoded value as follows :

"http://wso2.org/claims/applicationname":"app1"

5. Now enable the JWT caching as given in step 2 above and edit the app name as app2 and perform the above step 3 again.

Observation :

==========

1. Once you decode, you will be able to see the application name as app1 still since the JWT caching is enabled and the app name will be taken from the cache.
   
   
2. But if you disable JWT caching and do the same steps you will be able to see the changed app name.
   
   
3. If you have enabled key manager or gateway caching with JWT caching still it will show you the cached app name. But if the JWT caching is disabled and gateway or key manager caching is enabled, you should not be able to see the app name changes since the JWT caching is disabled.

How to test the values in the OAuth2 token (authorization header) of the original client API Call request in WSO2 API Manager

The WSO2 API Manager is an on-going project with continuous improvements and enhancements introduced with each new release to address new business challenges and customer expectations. WSO2 invites users, developers and enthusiasts to get involved or get the assistance of our development teams at many different levels through online forums, mailing lists and support options. We are committed to ensure you a fulfilling user experience at any level of involvement with the WSO2 API Manager. Reference and For more information : http://docs.wso2.org/wiki/display/AM130/About+API+Manager

I hope the intended reader of this post has successfully installed WSO2 API Manager and has got an idea about using API manager, OAuth2 token, JWT, client API calls and etc. If not, please refer the documentation for installation and as a user guide.

This blog post will be useful for anyone who wants to configure and test the authorization header of the original client API call request in API manager.

Steps to follow

1. Refer the User Guide (http://dist.wso2.org/products/api-manager/1.1.1/WSO2APIManager-v1.1-GettingStarted.pdf and follow the steps to create user roles, users, an application and take it up to publishing level. 
   
   
2. Before the above step, to view the header values, refer http://docs.wso2.org/wiki/display/AM130/Configure+JSON+Web+Token+%28JWT%29+Generation#ConfigureJSONWebTokenJWTGeneration-EnableTokenGeneration and set <EnableTokenGeneration>true</EnableTokenGeneration> as true. 
   
   
3. Start the server and create an API, publish it and subscribe to it from the API Store.
   
   
4. Invoke the API and capture the outgoing message from the API Gateway.
   
   
5. To perform the above step, configure tcp mon to view the API client call request. This request should be configured to view the client call request goes from the WSO2 API Manager to respective interface.
   
   
6. Once the app is published, make a GET, POST or a PUT request call using a curl or a Jmeter script or using a REST Client (Latest API manager has its own rest client. Or can use Chrome Advanced Rest Client Application). Read more : http://docs.wso2.org/wiki/display/AM140/REST+APIs
    Token generation is explained in Step 7.
   E.g., 
   curl -v -X POST -H "Content-type: application/xml" -d @create.xml http://localhost:9280/app/1.0.0 -H "Authorization: Bearer <token> "
   curl -v -X PUT -H "Content-type: application/xml" -d @update.xml http://localhost:9280/app/1.0.0 -H "Authorization: Bearer <token>"
    
7. If you use the access the app as an application creator use the Access Token or else as a consumer, you have to follow the below steps (8-10) to generate the authorization bearer key using both Consumer key and the consumer secret in the API Store of the relevant application once you have successfully subscribed.
   Get the both keys and copy and paste on a text pad together separated by a colon as below.
   E.g.,
   <Consumer key> : <Consumer secret>
   3kaBCHnXCYX9wgS0sFV2zGWqnRQa:YGynxN1Y43LsXCOU4gjkVuwYfoUa
   
   
   
   
   
8. Then encode it to Base64 format. Refer this site to perform it. 
   http://www.base64encode.org/
   E.g., Generated key : M2thQkNIblhDWVg5d2dTMHNGVjJ6R1dxblJRYTpZR3lueE4xWTQzTHNYQ09VNGdqa1Z1d1lmb1Vh
   
   
   
   
   
   
   
9. Then using curl generate the login key. For more reference : http://docs.wso2.org/wiki/display/AM140/User+Tokens
   
   
   curl -k -d "grant_type=password&username=admin&password=admin&scope=PRODUCTION" -H "Authorization :Basic M2thQkNIblhDWVg5d2dTMHNGVjJ6R1dxblJRYTpZR3lueE4xWTQzTHNYQ09VNGdqa1Z1d1lmb1Vh, Content-Type: application/x-www-form-urlencoded" http://localhost:8280/login

Response :

{"token_type":"bearer","expires_in":3600,"refresh_token":"401b9bca56c9afff8e9f8aece86181","access_token":"c822da634acba682187f17f32e6ed9e7"}

10. Get the access token generated (E.g., c822da634acba682187f17f32e6ed9e7) and provide it for the above access token in Step 6 curl command or for the jmeter script's variable - TokenID. "Authorization: Bearer <token>" 
    
    
11. Now send a API call request using Jmeter or curl. (Step 6)
    
    
12. Observe tcp mon.
    
    
13. You will see something like below in tcpmon.
    GET http://10.100.2.115:12765/jaxrs_basic_44/services/customers/customerservice/customers/test1/123/test2 HTTP/1.1
    X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJTSEEyNTZ3aXRoUlNBIiwieDV0IjoiTm1KbU9HVXhNelpsWWpNMlpEUmhOVFpsWVRBMVl6ZGhaVFJpT1dFME5XSTJNMkptT1RjMVpBPT0ifQ==.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTM2MjczNDYxNjE1NywiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoiYXBpc3Vic2NyaWJlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvYXBwbGljYXRpb25pZCI6IjYiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IkFhYmNkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9hcHBsaWNhdGlvbnRpZXIiOiJVbmxpbWl0ZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwaWNvbnRleHQiOiIvQUFBIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy92ZXJzaW9uIjoiMS4wLjAiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3RpZXIiOiJVbmxpbWl0ZWQiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2tleXR5cGUiOiJQUk9EVUNUSU9OIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy91c2VydHlwZSI6IkFQUExJQ0FUSU9OX1VTRVIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VuZHVzZXIiOiJhZG1pbiJ9.Q4Q1ET1SECUT1+OT3AEkNXuUnRg3ssUnWWyOt2Us8boBwjA9AYjnKvDnMqqaOJUjRzWqGdZjoYXycTlTmqFBVdNNq+V4Ol4FMcL5zA3mat4JvYQlvhtqD/3zP0pM7SrLCPQ8uCTWWVlX/y+bUg1F1MoKUGvpmACDbgdLtRT9Btc=
    assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJTSEEyNTZ3aXRoUlNBIiwieDV0IjoiTm1KbU9HVXhNelpsWWpNMlpEUmhOVFpsWVRBMVl6ZGhaVFJpT1dFME5XSTJNMkptT1RjMVpBPT0ifQ==.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hbSIsImV4cCI6MTM2MjcyNDczMzc4NiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmVyIjoiYWRtaW4iLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9ubmFtZSI6IkRlZmF1bHRBcHBsaWNhdGlvbiIsaHR0cDovL3dzbzIub3JnL2NsYWltcy9hcGljb250ZXh0IjoiL0FBQSIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pdGVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9lbmR1c2VyIjoiYWRtaW4ifQ.Q4Q1ET1SECUT1+OT3AEkNXuUnRg3ssUnWWyOt2Us8boBwjA9AYjnKvDnMqqaOJUjRzWqGdZjoYXycTlTmqFBVdNNq+V4Ol4FMcL5zA3mat4JvYQlvhtqD/3zP0pM7SrLCPQ8uCTWWVlX/y+bUg1F1MoKUGvpmACDbgdLtRT9Btc=
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Host: 10.100.2.115:12765
    Connection: Keep-Alive
    
    
14. Copy the above green colored key which in between 2 separators. (. - dots) in assertion. That is where the header values are included. Base64 decode the second part of the 'assertation' header. Note: The assertion header consists of 3 parts separated by the '.' (period) character.
    
    
15. Use this site to decode it as below and it will generate the following. Now observe the header values.
    http://www.base64decode.org/
    
    
    
    
    
    
    
    E.g.,
    {"iss":"wso2.org/products/am","exp":1362724733786,"http://wso2.org/claims/subscriber":"admin","http://wso2.org/claims/applicationname":"DefaultApplication",http://wso2.org/claims/apicontext":"/AAA","http://wso2.org/claims/version":"1.0.0","http://wso2.org/claims/tier":"Unlimited","http://wso2.org/claims/enduser":"admin"}

E.g.,

{"iss":"wso2.org/products/am","exp":1362724733786,

"http://wso2.org/claims/subscriber":"admin",

"http://wso2.org/claims/applicationname":"DefaultApplication",

"http://wso2.org/claims/apicontext":"/AAA",

"http://wso2.org/claims/version":"1.0.0",

"http://wso2.org/claims/tier":"Unlimited",

"http://wso2.org/claims/enduser":"admin"}