It should be noted that the implementation below uses undocumented variables and therefore it might break on a version upgrade


My customer wanted to use a JWS to control access to an API, however he wanted the JWS to be signed by the certificate that the client application registered in the developer portal. Since this functionality is intended to be used for Mutual TLS we need to push the product a little further.

Preparation steps

– Firstly create a (dummy) API that has MTLS enabled and publish it , so that the certificate field shows up in the portal (if you don’t want the API make it invisible at publish-time)

– After that upload the certificate for the application in the developer portal.

Preparation to get the signing endpoint working (only for demo cases)

– create a `Crypto Key` object that you reference in the JWT generate in the API in DataPower and attach (upload and select) your private key in pem format to it


Normally the client would sign the JWS at his side and send the JWS to the API where we validate it against his public key from the portal.

In the YAML attached you’ll see that the there is also a /sign endpoint. In the real world this wouldn’t be there but here it’s representing the signing of the JWS on the client (client application) side.
The teskey it’s referring to is a `Crypto Key` object in DataPower that is the counterpart of the public key as uploaded in the developer portal



Example Calls

In the first place we want to generate the JWS on the /sign endpoint

curl -k -H "X-IBM-Client-Id:479b3df9-380e-4bda-8cc1-92718c88f9cd" -H "Content-Type: application/json" -X POST -d '{"t":"t"}' https://IP/ORG/CATALOG/signvalidate/sign

After that we use he JWS to send in the /validate call



Valid Request where the app has a certificate registered.

curl -k -H "X-IBM-Client-Id:479b3df9-380e-4bda-8cc1-92718c88f9cd" -H 'jwt:eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ0dm8iLCJhdWQiOiJ0aGUgd29ybGQiLCJleHAiOjE1MzEzMDAzNDQsImlhdCI6MTUzMTI5Njc0NCwidCI6InQifQ.OK4j1i4XIi8uCeF43EFJDqGVIsRBcEoy-oNL6Gaf0eWa4AsnDFG4J6EdHFFD6R0VC6ht-WY5uGFp1uFJQYjCKgmXSJwD2EJtOlGysFmfGYSUfTOGNj8PSprY7MGI-ZyYrODnWp2z9w0_PTpUE8ji6lIhPuqB-dV1IhQDlQZ5nU5wL1uKq-TBh78fJUNaNgbUJITM4LrzR3ftY6Ij6t4L1rW5lxQvLReyzSU208xbBZ3mL5OsgR_8ZKFboE2A9GPlNWQkRZfwC4n3MNpUcd3wgFhYmlsT_a-mJuWct2RWLjymwsfe3ID8F81o67MB8yHfLJBG2NrpZqfYgQH6ix0hDQ' https://IP/ORG/CATALOG/signvalidate/validate


{"iss":"tvo","aud":"the world","exp":1531300344,"iat":1531296744,"t":"t"}

Invalid Request where the application has no certificate registered.

curl -k -H "X-IBM-Client-Id:1ab8edee-1d57-43ff-8e0c-4ae28a386b47" -H 'jwt:eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ0dm8iLCJhdWQiOiJ0aGUgd29ybGQiLCJleHAiOjE1MzEzMDAzNDQsImlhdCI6MTUzMTI5Njc0NCwidCI6InQifQ.OK4j1i4XIi8uCeF43EFJDqGVIsRBcEoy-oNL6Gaf0eWa4AsnDFG4J6EdHFFD6R0VC6ht-WY5uGFp1uFJQYjCKgmXSJwD2EJtOlGysFmfGYSUfTOGNj8PSprY7MGI-ZyYrODnWp2z9w0_PTpUE8ji6lIhPuqB-dV1IhQDlQZ5nU5wL1uKq-TBh78fJUNaNgbUJITM4LrzR3ftY6Ij6t4L1rW5lxQvLReyzSU208xbBZ3mL5OsgR_8ZKFboE2A9GPlNWQkRZfwC4n3MNpUcd3wgFhYmlsT_a-mJuWct2RWLjymwsfe3ID8F81o67MB8yHfLJBG2NrpZqfYgQH6ix0hDQ' https://IP/ORG/CATALOG/signvalidate/validate


{ "httpCode":"500", "httpMessage":"Internal Error", "moreInformation":"application doesn't have a client cert registered" }

Join The Discussion

Your email address will not be published. Required fields are marked *